Dear colleagues, A few moments ago, at 1400 UTC today, 11 January 2019, ICANN's root zone management partner, Verisign, published root zone serial number 2019011100 with the RFC 5011 REVOKE bit set. As a result, KSK-2010's key tag has changed from 19036 to 19164. In addition, the root DNSKEY RRset is now signed with two KSKs: the current KSK (KSK-2017) as well as the former KSK (KSK-2010). The second signature is required by RFC 5011 to prove possession of KSK-2010's private key to assert the revocation. This second signature makes the response to a query for the root zone's DNSKEY RRset increase in size from 1414 bytes to 1425 bytes.
We don't expect any operational issues from this change. The DNSKEY RRset size increase is small, and other zones currently publish considerably larger apex DNSKEY RRsets without apparent issue. In addition, because KSK-2010 has not been used for signing since the root KSK rollover to KSK-2017 on 11 October 2018, no DNSSEC validators that are currently validating correctly can be depending on it. Nevertheless, please let us know if you suspect any issues or have any questions. May we also suggest subscribing to ksk-rollo...@icann.org to receive announcements and participate in discussion about the KSK rollover process in particular and DNSSEC in the root zone in general. For the root zone management partners, Matt -- Matt Larson, VP of Research ICANN Office of the CTO matt.lar...@icann.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
