This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC Signer Replacement Project
- Previous message (by thread): [dns-wg] A Look at DNS Priming Queries to K-root
- Next message (by thread): [dns-wg] RIPE NCC Operated K-Root Server Now Distributing Root Zone Signed with DNSSEC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sjoerd Oostdijck
sjoerdoo at ripe.net
Wed Mar 24 11:46:30 CET 2010
Dear Colleagues, Please note that the new keys have been pre-published in the usual place at: https://www.ripe.net/projects/disi//keys/ Regards, Sjoerd Oostdijck. Andrei Robachevsky wrote: > Dear Colleagues, > > As noted during RIPE 59, the RIPE NCC is upgrading the current DNSSEC > provisioning infrastructure. This project includes the replacement of > current software signers with a more secure hardware solution. > > During this migration, an exception will be made to the double signing > policy outlined in our key maintenance procedure, which is available at: > https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html > > In order to reduce the likelihood of validation errors as much as > possible during the migration, a one-time exception will be made to the > policy of double signing our Key Signing Keys (KSKs). This is because it > is not possible to exchange keys between our old and new signers. To > prevent signing all our zones on two signers and then merging the > results, we will pre-publish the new KSK in March 2010 as a one-time > exception. > > The DNSSEC signer migration will involve the steps detailed below. The > dates align with our standard key rollover timings, as detailed on our > website at: > https://www.ripe.net/projects/disi//keys/ > > On Tuesday, 2 March 2010, our signer will switch to the currently > pre-published Zone Signing Key (ZSK). This ZSK will not be rolled over > again until Monday, 14 June 2010. No new trust anchors need to be > configured for resolvers at this point. > > On Tuesday, 23 March 2010, we will pre-publish a new KSK and ZSK in our > zones. The new KSK will be available in our trust anchor repository, > also available at: > https://www.ripe.net/projects/disi//keys/ > > One KSK will be in use, but both KSKs must be configured as trust > anchors in DNSSEC validating resolvers. > > On Monday, 14 June 2010, the old KSK and ZSK will be deprecated. Only > the new keys will be able to validate. One KSK will be in use. > > On Tuesday, 21 September 2010, we will publish a new KSK on our website > and continue with our usual double signing policy. Two keys will then be > in use. > > Given that the parent zones of the RIPE NCC's zones are likely to be > signed in the near future, we will continue to follow the current key > maintenance procedure and lifetimes after the migration in completed. > This will allow us to make a more informed decision on the RIPE NCC's > key lifetimes when the policies for our parent zones are known. > > Regards, > > Andrei Robachevsky > Chief Technical Officer > RIPE NCC > -- Sjoerd Oostdijck RIPE Network Coordination Centre DNS Services group Singel 258, Amsterdam, NL http://www.ripe.net +31 20 535 4444
- Previous message (by thread): [dns-wg] A Look at DNS Priming Queries to K-root
- Next message (by thread): [dns-wg] RIPE NCC Operated K-Root Server Now Distributing Root Zone Signed with DNSSEC
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]