From anandb at ripe.net Mon Jun 14 18:05:54 2010 From: anandb at ripe.net (Anand Buddhdev) Date: Mon, 14 Jun 2010 18:05:54 +0200 Subject: [enum-wg] DNSSEC KSK Rollover Event for RIPE NCC Zones Message-ID: <4C165362.8090009@ripe.net> [Apologies for duplicates] Dear Colleagues, On Tuesday, 23 March 2010, the RIPE NCC published new DNSSEC trust anchors. They can be found in a new location on the RIPE website at: https://www.ripe.net/dnssec-keys/ Today the RIPE NCC has started signing all of our zones with the new keys found in those trust anchor files. If you have both the old and the new keys configured you do not need to make any changes right now. On Wednesday, 16 June, we will remove the old trust anchors from our website. With today's key rollover event the RIPE NCC has completed the migration to new DNSSEC signers. We have updated our DNSSEC Policy and Practice Statement (DPS). The updated DPS can be found at: https://www.ripe.net/rs/reverse/dnssec/dps.html During the migration we did experience a small issue. Our processes failed to pre-publish the previous Zone Signing Key (ZSK) into the zones on our new signers. While our zones were propagating to the secondary servers, some validating resolvers may have fetched signed answers and DNSKEY records from different servers, and not been able to validate these answers. However, the time-to-live on the old ZSK DNSKEY record was one hour, so the window during which validation failures could have occurred is quite small. We have taken steps to ensure that this will not happen in the future. If you have any questions or comments, please send an email to . Regards, Anand Buddhdev DNS Services Manager