[AusNOG] KSK Rollover Postponed

Noel Butler noel.butler at ausics.net
Sat Sep 30 09:42:40 EST 2017


I've voiced my opinion elsewhere but i'll add it here too. 

The Key should just be rolled, we've been given months of warnings, so
when it fails and said networks CSR lines become jammed because 3/4 of
the internet is gone, it will soon get things fixed, and, the many
pissed off CEO's (who likely will also be personally affected) will be
calling into question the competence of certain lazy staff and have them
explain why they've done nothing and why they should keep their jobs. 

Too many in this game think their in a safe haven and are just flat out
lazy. 

On 28/09/2017 14:46, Save Vocea wrote:

> Dear AusNOG Community, 
> 
> A couple of weeks ago I posted ICANNs' KSK rollover timelines in here. 
> 
> It was announced today that the plan to change the cryptographic key [1] that helps protect the Domain Name System (DNS) is being postponed. 
> 
> The changing or "rolling" of the KSK Key was originally scheduled to occur on 11 October, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured. 
> 
> Full announcement is here: https://www.icann.org/news/announcement-2017-09-27-en 
> 
> Regards, 
> 
> Save Vocea 
> 
> ICANN staff in the region 
> 
> FROM: Save Vocea <save.vocea at icann.org>
> DATE: Tuesday, September 12, 2017 at 4:53 PM
> TO: "ausnog at ausnog.net" <ausnog at lists.ausnog.net>
> SUBJECT: KSK rollover timeline and how to check if your systems are ready 
> 
> Dear AusNOG list members, 
> 
> I'd appreciate if this is shared through your network /organizations and to check if your systems won't be affected by the following change. 
> 
> The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to roll, or change, the "top" pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010, and is considered an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any Internet user. 
> 
> WHAT DOES THAT MEAN? 
> 
> Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS. 
> 
> WHY DO YOU NEED TO PREPARE? 
> 
> Currently, 25% of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover. If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet. 
> 
> HOW TO KNOW IF YOUR SYSTEMS ARE UP-TO-DATE? 
> 
> ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: http://go.icann.org/KSKtest. 
> 
> WHAT IS THE TIMELINE FOR THIS PROCESS? 
> 
> * OCTOBER 27, 2016: KSK rollover process begins as the new KSK is generated.
> * JULY 11, 2017: Publication of new KSK in DNS.
> * SEPTEMBER 19, 2017: Size increase for DNSKEY response from root name servers.
> * OCTOBER 11, 2017: New KSK begins to sign the root zone key set (the actual rollover event).
> * JANUARY 11, 2018: Revocation of old KSK.
> * MARCH 22, 2018: Last day the old KSK appears in the root zone.
> * AUGUST 2018: Old key is deleted from equipment in both ICANN Key Management Facilities.
> 
> More information about the root zone KSK rollover is available here: https://www.icann.org/resources/pages/ksk-rollover. 
> 
> Thank you, 
> 
> SAVE VOCEA 
> 
> VP, Global Stakeholder Engagement, Oceania 
> 
> ICANN

-- 
Kind Regards, 

Noel Butler 

 		This Email, including any attachments, may contain legally privileged
information, therefore remains confidential and subject to copyright
protected under international law. You may not disseminate, discuss, or
reveal, any part, to anyone, without the authors express written
authority to do so. If you are not the intended recipient, please notify
the sender then delete all copies of this message including attachments,
immediately. Confidentiality, copyright, and legal privilege are not
waived or lost by reason of the mistaken delivery of this message. Only
PDF [2] and ODF [3] documents accepted, please do not send proprietary
formatted documents 

 

Links:
------
[1] https://www.icann.org/resources/pages/ksk-rollover/#overview
[2] http://www.adobe.com/
[3] http://en.wikipedia.org/wiki/OpenDocument
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20170930/799f7a87/attachment.html>


More information about the AusNOG mailing list