Dear All, The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user.
What does that mean? Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS. Why do you need to prepare? Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet. How to know if your systems are up-to-date? ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest. What is the timeline for this process? * October 27, 2016: KSK rollover process begins as the new KSK is generated. * July 11, 2017: Publication of new KSK in DNS. * September 19, 2017: Size increase for DNSKEY response from root name servers. * October 11, 2017: New KSK begins to sign the root zone key set (the actual rollover event). * January 11, 2018: Revocation of old KSK. * March 22, 2018: Last day the old KSK appears in the root zone. * August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities. More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover. We are happy to have a call with you shall you have any questions or feedback. Thank you, Baher Esmat VP, Global Stakeholder Engagement, Middle East ICANN
_______________________________________________ Menog mailing list Menog@lists.menog.org http://lists.menog.org/mailman/listinfo/menog
