Hi, I have just a quick information from DNSSEC movement in .cz. Next Tuesday we will start our first KSK rollover for .cz domain. We decided to chose stronger algorithm RSASHA512 and to switch from NSEC to NSEC3. That means we have to follow procedure for algorithm rollover as described in http://tools.ietf.org/html/draft-ietf-dnsop-rfc4641bis-03#section-4.1.5. This involves four changes in standard signing procedure. On Tuesday, August 3, we will implement first two changes. In the morning we will insert new signatures for all RRSET created using new RSASHA512 keys without publishing new keys. In the evening, after all TTLs when new RRSIGs will be in all resolvers we will also include new keys into zonefile.
Then we will send request for exchange of keys in root zone to IANA. In the same time, as our way to promote DNSSEC validation using root zone, we will also remove all our keys from ITAR and DLV. We communicated this intensively in past several weeks together with promotion of root zone signing, so we don't expect problems from resolvers operators. We will do last two changes in our rollover process on August 24, to give IANA time to implement changes in root zone. Again, in the morning we will start with removing old keys from zonefile and in the evening we will remove also old signatures and resign zone using NSEC3. We have chosen NSEC3 without OptOut for two reasons. Right now we have more than 100 000 signed domains out of almost 700 000, and we expect it to grow, so the difference in the size is not an issue. Second, we think it's not a good idea to lower security level even for not-secured domains which would happen with OptOut. Jaromir -- Jaromir Talir technicky reditel / Chief Technical Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americka 23, 120 00 Praha 2, Czech Republic mailto:jaromir.ta...@nic.cz http://nic.cz/ sip:jaromir.ta...@nic.cz tel:+420.222745107 mob:+420.739632712 fax:+420.222745112 ------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
