Signing of the ARPA zone

IAB Chair <> Thu, 11 March 2010 12:25 UTC

Return-Path: <>
Received: by (Postfix, from userid 30) id A53793A68AB; Thu, 11 Mar 2010 04:25:22 -0800 (PST)
From: IAB Chair <>
To: IETF Announcement list <>
Subject: Signing of the ARPA zone
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <>
Date: Thu, 11 Mar 2010 04:25:22 -0800
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Joe Abley <>
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Mar 2010 12:25:22 -0000

I happy to forward this announcement about DNSSEC deployment on the .ARPA
zone on behalf of Joe Abley, Director DNS Operations at ICANN. Please
reply to him with any specific operational questions you might have.



This is a technical, operational announcement regarding changes to  
the ARPA top-level domain. Apologies in advance for duplicates  
received through different mailing lists.

No specific action is requested of operators. This message is for  
your information only.

The ARPA zone is about to be signed using DNSSEC. The technical  
parameters by which ARPA will be signed are as follows:

KSK Algorithm and Size: 2048 bit RSA
KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
KSK Signature Algorithm: SHA-256
Validity period for signatures made with KSK: 15 days; new  
signatures published every 10 days
ZSK Algorithm and Size: 1024 bit RSA
ZSK Rollover: every 3 months
ZSK Signature Algorithm: SHA-256
Authenticated proof of non-existence: NSEC
Validity period for signatures made with ZSK: 7 days; zone  
generated and re-signed twice per day

The twelve root server operators [1] will begin to serve a signed  
ARPA zone instead of the (current) unsigned ARPA zone during a  
maintenance window which will open at 2010-03-15 0001 UTC and close  
at 2010-03-17 2359 UTC. Individual root server operators will carry  
out their maintenance at times within that window according to  
their own operational preference.

The trust anchor for the ARPA zone will be published in the ITAR  
[2], and in the root zone in the form of a DS record once the root  
zone is signed.

If you have any concerns or require further information, please let  
me know.


Joe Abley
Director DNS Operations, ICANN

[1] <>
[2] <>