Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon - ksk-rollover - lists.icann.org

newer
new root trust anchor confirmation

Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon

older
15 days into the add-hold for...

Edward Lewis

Aug. 9, 2017

5:31 p.m.

Looking at my records, the new KSK appeared between 2017-07-11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes after the hour.) "30 Days later" means 10 August (not 11 August!). We are less than 24 hours away from that as I write this message (about 20 hours now).

Attachments:

smime.p7s (application/pkcs7-signature — 4.5 KB)

Reply

Sign in to reply online Use email software

Show replies by date

Paul Hoffman

August 2017

3:19 p.m.

On Aug 9, 2017, at 10:31 AM, Edward Lewis <edward.lewis@icann.org> wrote:

Looking at my records, the new KSK appeared between 2017-07-11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes after the hour.)

"30 Days later" means 10 August (not 11 August!). We are less than 24 hours away from that as I write this message (about 20 hours now).

Doesn't the actual time depend on when they grabbed the key? Thus, isn't there a 48-hour window for when other people will have the new key be trusted? Or am I missing something about RFC 5011? --Paul

Reply

Sign in to reply online Use email software

Evan Hunt

5:59 p.m.

On Thu, Aug 10, 2017 at 03:19:42PM +0000, Paul Hoffman wrote:

Doesn't the actual time depend on when they grabbed the key? Thus, isn't there a 48-hour window for when other people will have the new key be trusted? Or am I missing something about RFC 5011?

Correct, it would be 30 days after the first time the key was seen in a refresh query. The root DNSKEY TTL is two days and I believe the refresh query interval is half the TTL, so unlucky timing in a forwarding resolver could delay discovery of a new key up to three days. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.

Reply

Sign in to reply online Use email software

Jakob Schlyter

6:03 p.m.

On 9 Aug 2017, at 19:31, Edward Lewis <edward.lewis@icann.org> wrote:

Looking at my records, the new KSK appeared between 2017-07-11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes after the hour.)

"30 Days later" means 10 August (not 11 August!). We are less than 24 hours away from that as I write this message (about 20 hours now).

; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502388111 ;;Thu Aug 10 20:01:51 2017 ;;last_success: 1502388111 ;;Thu Aug 10 20:01:51 2017 ;;next_probe_time: 1502428592 ;;Fri Aug 11 07:16:32 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1418717042 ;;Tue Dec 16 09:04:02 2014 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502388111 ;;Thu Aug 10 20:01:51 2017

Reply

Sign in to reply online Use email software

Richard Lamb

2:20 a.m.

Samples before and after today. *** 10 Aug 2017 1815 UTC APPEND *** /usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;last_success: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;next_probe_time: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=65 ;;lastchange=1499788113 ;;Tue Jul 11 08:48:33 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016 *** 11 Aug 2017 0112 UTC *** /usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;last_success: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;next_probe_time: 1502447443 ;;Fri Aug 11 03:30:43 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502406039 ;;Thu Aug 10 16:00:39 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016

-----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover- bounces@icann.org] On Behalf Of Jakob Schlyter Sent: Thursday, August 10, 2017 11:03 AM To: Edward Lewis <edward.lewis@icann.org> Cc: ksk-rollover@icann.org Subject: Re: [ksk-rollover] Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon

...
On 9 Aug 2017, at 19:31, Edward Lewis <edward.lewis@icann.org> wrote:

Looking at my records, the new KSK appeared between 2017-07- 11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes after the hour.)

"30 Days later" means 10 August (not 11 August!). We are less than 24 hours away from that as I write this message (about 20 hours now).

; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502388111 ;;Thu Aug 10 20:01:51 2017 ;;last_success: 1502388111 ;;Thu Aug 10 20:01:51 2017 ;;next_probe_time: 1502428592 ;;Fri Aug 11 07:16:32 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUT f6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEh g37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR 0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D oBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrA mRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1418717042 ;;Tue Dec 16 09:04:02 2014 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4Rg WOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQ uCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz 7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502388111 ;;Thu Aug 10 20:01:51 2017

_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover

Reply

Sign in to reply online Use email software

Jaap Akkerhuis

8:10 a.m.

New subject: Automated Updates (aka RFC 5011) add-hold for the new root zone KSK expires soon

Richard Lamb writes:

Samples before and after today.

Same result overhere (using a standard release via the FreeBSD ports system). And while we are at it, FreeBSD uses unbound in the base system. The latest version already had the trust anchors in and I assume (but didn't test) that older systems should do tha the 5011 roll out of the box. jaap

Reply

Sign in to reply online Use email software

Edward Lewis

noon

My servers picked it up - a BIND 9.9.5-3ubuntu0.13-Ubuntu and an Unbound 1.5.8. I couldn't check on my Aug 10 (an eye exam related issue), but when I woke up Aug 11 they were caught up. On 8/10/17, 22:20, "Richard Lamb" <richard.lamb@icann.org> wrote: Samples before and after today. *** 10 Aug 2017 1815 UTC APPEND *** /usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;last_success: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;next_probe_time: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=65 ;;lastchange=1499788113 ;;Tue Jul 11 08:48:33 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016 *** 11 Aug 2017 0112 UTC *** /usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;last_success: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;next_probe_time: 1502447443 ;;Fri Aug 11 03:30:43 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502406039 ;;Thu Aug 10 16:00:39 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016 > -----Original Message----- > From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover- > bounces@icann.org] On Behalf Of Jakob Schlyter > Sent: Thursday, August 10, 2017 11:03 AM > To: Edward Lewis <edward.lewis@icann.org> > Cc: ksk-rollover@icann.org > Subject: Re: [ksk-rollover] Automated Updates (aka RFC 5011) add-hold for > the new root zone KSK expires soon > > > > > On 9 Aug 2017, at 19:31, Edward Lewis <edward.lewis@icann.org> wrote: > > > > Looking at my records, the new KSK appeared between 2017-07- > 11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes > after the hour.) > > > > "30 Days later" means 10 August (not 11 August!). We are less than 24 > hours away from that as I write this message (about 20 hours now). > > ; autotrust trust anchor file > ;;id: . 1 > ;;last_queried: 1502388111 ;;Thu Aug 10 20:01:51 2017 > ;;last_success: 1502388111 ;;Thu Aug 10 20:01:51 2017 > ;;next_probe_time: 1502428592 ;;Fri Aug 11 07:16:32 2017 > ;;query_failed: 0 > ;;query_interval: 43200 > ;;retry_time: 8640 > . 172800 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUT > f6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEh > g37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR > 0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D > oBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrA > mRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} > ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1418717042 ;;Tue Dec 16 09:04:02 > 2014 > . 172800 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4Rg > WOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQ > uCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ > EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz > 7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws > 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = > 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502388111 ;;Thu Aug 10 > 20:01:51 2017 > > _______________________________________________ > ksk-rollover mailing list > ksk-rollover@icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover

Reply

Sign in to reply online Use email software

Ólafur Guðmundsson

4:16 p.m.

I checked and all the Unbound servers my employer operates has accepted the new KSK as trusted My personal ones as well Olafur On Fri, Aug 11, 2017 at 8:00 AM, Edward Lewis <edward.lewis@icann.org> wrote:

My servers picked it up - a BIND 9.9.5-3ubuntu0.13-Ubuntu and an Unbound 1.5.8.

I couldn't check on my Aug 10 (an eye exam related issue), but when I woke up Aug 11 they were caught up.

On 8/10/17, 22:20, "Richard Lamb" <richard.lamb@icann.org> wrote:

Samples before and after today.

*** 10 Aug 2017 1815 UTC APPEND ***

/usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;last_success: 1502363785 ;;Thu Aug 10 04:16:25 2017 ;;next_probe_time: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/ tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/ 4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI DdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI XxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=65 ;;lastchange=1499788113 ;;Tue Jul 11 08:48:33 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+ 9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/ RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/ Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G 3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016

*** 11 Aug 2017 0112 UTC ***

/usr/local/etc/unbound$ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;last_success: 1502406039 ;;Thu Aug 10 16:00:39 2017 ;;next_probe_time: 1502447443 ;;Fri Aug 11 03:30:43 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/ tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/ 4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI DdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI XxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502406039 ;;Thu Aug 10 16:00:39 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+ 9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/ RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/ Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G 3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1480379125 ;;Mon Nov 28 16:25:25 2016

> -----Original Message----- > From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover- > bounces@icann.org] On Behalf Of Jakob Schlyter > Sent: Thursday, August 10, 2017 11:03 AM > To: Edward Lewis <edward.lewis@icann.org> > Cc: ksk-rollover@icann.org > Subject: Re: [ksk-rollover] Automated Updates (aka RFC 5011) add-hold for > the new root zone KSK expires soon > > > > > On 9 Aug 2017, at 19:31, Edward Lewis <edward.lewis@icann.org> wrote: > > > > Looking at my records, the new KSK appeared between 2017-07- > 11@1305UTC and 2017-07-11@1405UTC. (I run some probes at 5 minutes > after the hour.) > > > > "30 Days later" means 10 August (not 11 August!). We are less than 24 > hours away from that as I write this message (about 20 hours now). > > ; autotrust trust anchor file > ;;id: . 1 > ;;last_queried: 1502388111 ;;Thu Aug 10 20:01:51 2017 > ;;last_success: 1502388111 ;;Thu Aug 10 20:01:51 2017 > ;;next_probe_time: 1502428592 ;;Fri Aug 11 07:16:32 2017 > ;;query_failed: 0 > ;;query_interval: 43200 > ;;retry_time: 8640 > . 172800 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUT > f6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEh > g37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR > 0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D > oBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrA > mRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} > ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1418717042 ;;Tue Dec 16 09:04:02 > 2014 > . 172800 IN DNSKEY 257 3 8 > AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4Rg > WOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQ > uCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/ > EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz > 7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws > 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = > 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502388111 ;;Thu Aug 10 > 20:01:51 2017 > > _______________________________________________ > ksk-rollover mailing list > ksk-rollover@icann.org > https://mm.icann.org/mailman/listinfo/ksk-rollover

_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover

Reply

Sign in to reply online Use email software

3200

Age (days ago)

3202

Last active (days ago)

Download

7 comments

7 participants

tags

participants (7)

Edward Lewis
Evan Hunt
Jaap Akkerhuis
Jakob Schlyter
Paul Hoffman
Richard Lamb
Ólafur Guðmundsson