On Wed, Nov 16, 2016 at 10:56:35AM +0100, Mikael Abrahamsson wrote:
So if it's manufactured the day before a new key is publically released, when is the key material it has built in no longer viable to have successful DNSSEC validation?
The new KSK was generated at the end of October this year and will be published on IANA's website in February / March once it has been confirmed to have been successfully imported into their West Coast facility.
It will then be published in the root zone in July signed by the old KSK and the new key will be used from October 2017 onwards [1]. A manufacturer, therefore, should have plenty of warning that they need to support the ability to change the root KSK, either through some kind of firmware / software upgrade or, preferably, via RFC5011 [2] compliance which automates the whole process.
Emily
[1] ICANN Ltd., "2017 KSK Rollover Operational Implementation Plan",
July 2016,
<https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf>
[2] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011,
September 2007, <http://www.rfc-editor.org/info/rfc5011>.
--
Emily Shepherd
Computer Science Graduate, MEng (Hons)
W: https://emilyshepherd.me/
M: +44(0)7575 721 231
signature.asc
Description: PGP signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
