<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Title content=""><meta name=Keywords content=""><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1977905;
mso-list-template-ids:1888929052;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New",serif;
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body bgcolor=white lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Dear AusNOG list members,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I’d appreciate if this is shared through your network /organizations and to check if your systems won’t be affected by the following change.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt'>What does that mean?<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt'>Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt'>Why do you need to prepare?<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt'>Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt'>How to know if your systems are up-to-date?<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt'>ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: <a href="http://go.icann.org/KSKtest">http://go.icann.org/KSKtest</a>.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt'>What is the timeline for this process?<o:p></o:p></span></b></p><ul style='margin-top:0in' type=disc><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>October 27, 2016:</span></b><span style='font-size:11.0pt'> KSK rollover process begins as the new KSK is generated.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>July 11, 2017:</span></b><span style='font-size:11.0pt'> Publication of new KSK in DNS.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>September 19, 2017:</span></b><span style='font-size:11.0pt'> Size increase for DNSKEY response from root name servers.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>October 11, 2017:</span></b><span style='font-size:11.0pt'> New KSK begins to sign the root zone key set (the actual rollover event).<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>January 11, 2018:</span></b><span style='font-size:11.0pt'> Revocation of old KSK.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>March 22, 2018:</span></b><span style='font-size:11.0pt'> Last day the old KSK appears in the root zone.<o:p></o:p></span></li><li class=MsoNormal style='margin-left:0in;mso-list:l0 level1 lfo1'><b><span style='font-size:11.0pt'>August 2018:</span></b><span style='font-size:11.0pt'> Old key is deleted from equipment in both ICANN Key Management Facilities.<o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>More information about the root zone KSK rollover is available here: <a href="https://www.icann.org/resources/pages/ksk-rollover">https://www.icann.org/resources/pages/ksk-rollover</a>. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thank you,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt'>Save vocea<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt'>VP, Global Stakeholder Engagement, Oceania<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>ICANN<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p></div></body></html>