From marco.davids at sidn.nl Fri Jan 7 12:23:20 2011 From: marco.davids at sidn.nl (Marco Davids (SIDN)) Date: Fri, 7 Jan 2011 12:23:20 +0100 Subject: [enum-wg] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa. Message-ID: <4D26F7A8.5040103@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Apologies for any duplicate mails] DNSSEC trust-anchor notice for 1.3.e164.arpa. First and only notice! To whom it may concern: ENUM-zone 1.3.e164.arpa is signed with DNSSEC. Since no trust-anchor has been published in the parent, the trust-anchor of this zone was available via https://www.enum.nl/downloads/KSK-pub.txt. This is to inform you that we have scheduled a key change, which will render the current trust-anchor invalid. If you have configured the 1.3.e164.arpa trust-anchor in your validator(s), please remove it NOW or no later than January 11th 23:59 CET. At the end of next week we will introduce a new key in the 1.3.e164.arpa-zone, which will have it's trust-anchor published in the parent soon after. Since we anticipate that only very few people have actually configured the present trust-anchor (if any), we will *not* perform a full-blown key roll-over. Instead we will simply remove the old key and introduce a new one. The new trust-anchor will not be published in an authenticated manner outside DNS (for example on an SSL-protected web page as before), because it will have it's DS record in the parent. Thank you for your understanding. With kind regards, - -- Marco Davids On behalf of ENUM NL -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0m94cACgkQXOb5yambhgnSGgCgpDvgMZ9Kd4cZs+g1oo8Y6ciI XQAAnjWrNJtYY0WN7aAPxNYNsegYhaT4 =8eSF -----END PGP SIGNATURE----- From dougb at dougbarton.us Sat Jan 8 03:39:19 2011 From: dougb at dougbarton.us (Doug Barton) Date: Fri, 07 Jan 2011 18:39:19 -0800 Subject: [enum-wg] Re: [Dnssec-deployment] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa. In-Reply-To: <4D26F7A8.5040103@sidn.nl> References: <4D26F7A8.5040103@sidn.nl> Message-ID: <4D27CE57.4060605@dougbarton.us> On 01/07/2011 03:23, Marco Davids (SIDN) wrote: > Since we anticipate that only very few people have actually configured > the present trust-anchor (if any), we will *not* perform a full-blown > key roll-over. Instead we will simply remove the old key and introduce a > new one. With all due respect, I think this is the wrong approach. :) If your assessment is correct and very few people have the key configured IMO now is the perfect time to practice doing a proper rollover. > The new trust-anchor will not be published in an authenticated manner > outside DNS (for example on an SSL-protected web page as before), > because it will have it's DS record in the parent. Assuming that there is a trust path all the way from this zone to the root, that's not only Ok, (once again IMO) that's preferable. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From Antoin.Verschuren at sidn.nl Mon Jan 10 15:59:25 2011 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Mon, 10 Jan 2011 14:59:25 +0000 Subject: [enum-wg] RE: [dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa. In-Reply-To: <4D27CE57.4060605@dougbarton.us> References: <4D26F7A8.5040103@sidn.nl> <4D27CE57.4060605@dougbarton.us> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The key in our current zone was explicitly stated not to be used as a trust anchor yet: https://www.enum.nl/nl/dnssec/dnssec-status-for-13e164arpa.html That's why we don't expect users to have this configured. This message is therefore only informational, as we promised changes to our policy to be published on the relevant mailinglists. We tested rollovers for this zone already with this not to be trusted key. Our first intention was to have this key to be used as a trust anchor, as the root was not ready yet. Now that we are ready to submit our key to our parent, and the root is signed, we see no need to state our own trust anchor, so our policy changed. Since we will also replace our signing infrastructure, and the current key is not to be trusted anyway, we decided to start with a new key altogether. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations- > bounces at lists.dns-oarc.net] On Behalf Of Doug Barton > Sent: Saturday, January 08, 2011 3:39 AM > To: Marco Davids > Cc: dnssec at dnssec.nl; dns-operations at lists.dns-oarc.net; enum-wg at ripe.net; > dnssec-deployment at dnssec-deployment.org > Subject: Re: [dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust- > anchor notice for 1.3.e164.arpa. > > On 01/07/2011 03:23, Marco Davids (SIDN) wrote: > > > Since we anticipate that only very few people have actually configured > > the present trust-anchor (if any), we will *not* perform a full-blown > > key roll-over. Instead we will simply remove the old key and introduce a > > new one. > > With all due respect, I think this is the wrong approach. :) If your > assessment is correct and very few people have the key configured IMO > now is the perfect time to practice doing a proper rollover. > > > The new trust-anchor will not be published in an authenticated manner > > outside DNS (for example on an SSL-protected web page as before), > > because it will have it's DS record in the parent. > > Assuming that there is a trust path all the way from this zone to the > root, that's not only Ok, (once again IMO) that's preferable. > > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > dns-operations mailing list > dns-operations at lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBTSsezTqHrM883AgnAQgDSwf8Do9RhARTaqtTWkTsmbLpF4cCBrkSuxki gPGJTnumBYSgYwwrsTRYvMHONXQSB7iFvypsLSdnDhb0eLg5ueq4nsfp99oed0GL K3SQPnqc609WCWKqQqklQiSAHzVLbsvp9IFBSuwKEUnlw8ono/CrGzp06izGxFe4 1S1Nig5/NE4rgiUbTIFw9XU33rEJTuyGvlRQeKXZ5Rn4CEXUXCZoZ9vrt/ZBN54K xhReLrMNjmfMVy5M0N/aWa0CY3bBh3avYXNgExCEMO4kGReriUFO239/YZkFcys2 aEVRLzPRRzZmHgdSKugiUtFWvqggrNTKiQ8qDyVvt8+veLmX/TRAAg== =bMEw -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: