What KSK rollover methodology will be used today?
Hey, everyone Does anyone know what is the method for changing the KSK rollover today? I have tried to look for it in ICNN documents but I unfortunately I could not find it.Also I would appreciate it if someone can send a link for ZSK/KSK rollover future timeline for root zone. Best wishes, Suhayb Alghutaymil
On Oct 11, 2018, at 9:15 AM, Suhayb Alghutaymil via ksk-rollover <ksk-rollover@icann.org<mailto:ksk-rollover@icann.org>> wrote: Does anyone know what is the method for changing the KSK rollover today? I have tried to look for it in ICNN documents but I unfortunately I could not find it. I'm not sure I understand your question about methodology. At 1600 UTC today, 11 October (or shortly thereafter), a root zone will be published with only the "new" KSK (called KSK-2017) signing the root zone's apex DNSKEY RRset. Currently the root zone's apex DNSKEY RRset is signed only with the soon-to-be "old" KSK (called KSK-2010). The publication of this root zone implements the root KSK rollover. Also I would appreciate it if someone can send a link for ZSK/KSK rollover future timeline for root zone. There is currently no timeline for future KSK rollovers. We need to get through the first KSK rollover first. :-) In the future, we expect a lively discussion among the DNS technical community about this topic. Matt -- Matt Larson, VP of Research ICANN Office of the CTO
Matt Larson (matt.larson) writes:
Does anyone know what is the method for changing the KSK rollover today? I have tried to look for it in ICNN documents but I unfortunately I could not find it.
I'm not sure I understand your question about methodology. At 1600 UTC today, 11 October (or shortly thereafter), a root zone will be published with only the "new" KSK (called KSK-2017) signing the root zone's apex DNSKEY RRset. Currently the root zone's apex DNSKEY RRset is signed only with the soon-to-be "old" KSK (called KSK-2010). The publication of this root zone implements the root KSK rollover.
To complement your answer, we can say this is a "pre-publish" type rollover (as opposed to a double signature one) -- if that was what Suhayb was referring to. Cheers, Phil
We created a slack room for people to discuss and chat. https://join.slack.com/t/kapany/shared_invite/enQtNDUwOTIzMDEwODM4LWE5NjNmOW... You can join by clicking the link. This is not affiliated with ICANN nor it's official in any form or shape. It's just few cool nerds hanging out discussing post KSK roll impact On Thu, Oct 11, 2018 at 4:19 AM Phil Regnauld <regnauld@nsrc.org> wrote:
Matt Larson (matt.larson) writes:
Does anyone know what is the method for changing the KSK rollover
today? I have tried to look for it in ICNN documents but I unfortunately I could not find it.
I'm not sure I understand your question about methodology. At 1600 UTC
today, 11 October (or shortly thereafter), a root zone will be published with only the "new" KSK (called KSK-2017) signing the root zone's apex DNSKEY RRset. Currently the root zone's apex DNSKEY RRset is signed only with the soon-to-be "old" KSK (called KSK-2010). The publication of this root zone implements the root KSK rollover.
To complement your answer, we can say this is a "pre-publish" type rollover (as opposed to a double signature one) -- if that was what Suhayb was referring to.
Cheers, Phil _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
participants (4)
-
Matt Larson -
Mehmet Akcin -
Phil Regnauld -
Suhayb Alghutaymil