From jaap at NLnetLabs.nl Mon Mar 8 15:11:13 2010 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Mon, 08 Mar 2010 15:11:13 +0100 Subject: [dns-wg] Ripe-60 coming up Message-ID: <201003081411.o28EBD0U005310@bartok.nlnetlabs.nl> Folks, Over two months RIPE-60 will take place in Prague from 3 to 7 May. According to the meeting plan, the DNS-WG meeting will be Thursday the 6th. Please send suggestions for agenda items and/or presentations to the chairs (dns-wg-chair at ripe.net) or directly to me. Note that the (draft) minutes of Ripe-59 are available in the usual place. If there are comments, for these it would be nice to receive them before the meeting s these can incorporated swiftly. Regards, jaap Ripe-60: Meeting-plan: Minutes: From joe.abley at icann.org Wed Mar 10 21:01:30 2010 From: joe.abley at icann.org (Joe Abley) Date: Wed, 10 Mar 2010 12:01:30 -0800 Subject: [dns-wg] Signing of the ARPA zone Message-ID: Colleagues, This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists. No specific action is requested of operators. This message is for your information only. The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows: KSK Algorithm and Size: 2048 bit RSA KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011 KSK Signature Algorithm: SHA-256 Validity period for signatures made with KSK: 15 days; new signatures published every 10 days ZSK Algorithm and Size: 1024 bit RSA ZSK Rollover: every 3 months ZSK Signature Algorithm: SHA-256 Authenticated proof of non-existence: NSEC Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference. The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed. If you have any concerns or require further information, please let me know. Regards, Joe Abley Director DNS Operations, ICANN [1] [2] From wnagele at ripe.net Thu Mar 11 16:25:57 2010 From: wnagele at ripe.net (Wolfgang Nagele) Date: Thu, 11 Mar 2010 16:25:57 +0100 Subject: [dns-wg] Signed .ARPA Zone Roll Out On K-root Message-ID: <4B990B85.80206@ripe.net> [Apologies for duplicates] Dear Colleagues, As outlined by Joe Abley, ICANN, on the RIPE DNS Working Group mailing list, the DNS root servers will switch to a signed .ARPA zone at the beginning of next week. The mailing list archives can be found at: http://www.ripe.net/ripe/maillists/archives/dns-wg/index.html As the operator of K-root, the RIPE NCC has planned a maintenance window on 15 March 2010 between 09:00-13:00 UTC. During this period we will roll out the signed .ARPA zone. We will inform the working group once this change has been carried out. Regards, Wolfgang Nagele RIPE NCC DNS System Engineer From mir at ripe.net Fri Mar 12 19:46:23 2010 From: mir at ripe.net (Mirjam Kuehne) Date: Fri, 12 Mar 2010 19:46:23 +0100 Subject: [dns-wg] A Look at DNS Priming Queries to K-root Message-ID: <4B9A8BFF.8080207@ripe.net> Dear colleagues, In preparation for signing the root, Emile Aben of the RIPE NCC looked at DNS priming queries arriving during the deployment of a DNSSEC signed zone at the DNS root servers. Find the results here on RIPE Labs: http://labs.ripe.net/content/look-dns-priming-queries-k-root Kind Regards, Mirjam K?hne From wnagele at ripe.net Tue Mar 16 15:04:19 2010 From: wnagele at ripe.net (Wolfgang Nagele) Date: Tue, 16 Mar 2010 15:04:19 +0100 Subject: [dns-wg] Signed .ARPA Zone Roll Out On K-root Message-ID: <4B9F8FE3.9010306@ripe.net> [Apologies for duplicate emails] Dear Colleagues, We successfully rolled out the signed .ARPA zone on K-root. Regards, Wolfgang Nagele RIPE NCC DNS System Engineer From joe.abley at icann.org Wed Mar 17 22:51:34 2010 From: joe.abley at icann.org (Joe Abley) Date: Wed, 17 Mar 2010 14:51:34 -0700 Subject: [dns-wg] Re: Signing of the ARPA zone Message-ID: <1606869A-11D3-4943-B525-11C6FB0C357D@icann.org> Colleagues, This is a follow-up to the operational announcement regarding changes to the ARPA top-level domain that was sent on 2010-03-10. Apologies in advance for duplicates received through different mailing lists. As of 2010-03-17 1630 UTC all the authoritative servers for ARPA are serving a signed ARPA zone. We would like to solicit feedback from the technical community to allow us to identify any operational ill-effects that this change has caused. We will monitor this mailing list for feedback, and I will also distribute any feedback sent to me personally so that it can be considered. If no harmful effects have been identified by 2010-03-21 the trust anchor for the ARPA zone will be published through the IANA ITAR at . Regards, Joe Begin forwarded message: > From: Joe Abley > Date: 10 March 2010 16:13:46 EST > To: Joe Abley > Subject: Signing of the ARPA zone > > Colleagues, > > This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists. > > No specific action is requested of operators. This message is for your information only. > > The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows: > > KSK Algorithm and Size: 2048 bit RSA > KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011 > KSK Signature Algorithm: SHA-256 > Validity period for signatures made with KSK: 15 days; new signatures published every 10 days > ZSK Algorithm and Size: 1024 bit RSA > ZSK Rollover: every 3 months > ZSK Signature Algorithm: SHA-256 > Authenticated proof of non-existence: NSEC > Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day > > The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference. > > The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed. > > If you have any concerns or require further information, please let me know. > > Regards, > > > Joe Abley > Director DNS Operations, ICANN > > [1] > [2] From sjoerdoo at ripe.net Wed Mar 24 11:46:30 2010 From: sjoerdoo at ripe.net (Sjoerd Oostdijck) Date: Wed, 24 Mar 2010 11:46:30 +0100 Subject: [dns-wg] DNSSEC Signer Replacement Project In-Reply-To: <4B7D622C.5090304@ripe.net> References: <4B7D622C.5090304@ripe.net> Message-ID: <4BA9ED86.5010907@ripe.net> Dear Colleagues, Please note that the new keys have been pre-published in the usual place at: https://www.ripe.net/projects/disi//keys/ Regards, Sjoerd Oostdijck. Andrei Robachevsky wrote: > Dear Colleagues, > > As noted during RIPE 59, the RIPE NCC is upgrading the current DNSSEC > provisioning infrastructure. This project includes the replacement of > current software signers with a more secure hardware solution. > > During this migration, an exception will be made to the double signing > policy outlined in our key maintenance procedure, which is available at: > https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html > > In order to reduce the likelihood of validation errors as much as > possible during the migration, a one-time exception will be made to the > policy of double signing our Key Signing Keys (KSKs). This is because it > is not possible to exchange keys between our old and new signers. To > prevent signing all our zones on two signers and then merging the > results, we will pre-publish the new KSK in March 2010 as a one-time > exception. > > The DNSSEC signer migration will involve the steps detailed below. The > dates align with our standard key rollover timings, as detailed on our > website at: > https://www.ripe.net/projects/disi//keys/ > > On Tuesday, 2 March 2010, our signer will switch to the currently > pre-published Zone Signing Key (ZSK). This ZSK will not be rolled over > again until Monday, 14 June 2010. No new trust anchors need to be > configured for resolvers at this point. > > On Tuesday, 23 March 2010, we will pre-publish a new KSK and ZSK in our > zones. The new KSK will be available in our trust anchor repository, > also available at: > https://www.ripe.net/projects/disi//keys/ > > One KSK will be in use, but both KSKs must be configured as trust > anchors in DNSSEC validating resolvers. > > On Monday, 14 June 2010, the old KSK and ZSK will be deprecated. Only > the new keys will be able to validate. One KSK will be in use. > > On Tuesday, 21 September 2010, we will publish a new KSK on our website > and continue with our usual double signing policy. Two keys will then be > in use. > > Given that the parent zones of the RIPE NCC's zones are likely to be > signed in the near future, we will continue to follow the current key > maintenance procedure and lifetimes after the migration in completed. > This will allow us to make a more informed decision on the RIPE NCC's > key lifetimes when the policies for our parent zones are known. > > Regards, > > Andrei Robachevsky > Chief Technical Officer > RIPE NCC > -- Sjoerd Oostdijck RIPE Network Coordination Centre DNS Services group Singel 258, Amsterdam, NL http://www.ripe.net +31 20 535 4444 From anandb at ripe.net Wed Mar 24 20:43:05 2010 From: anandb at ripe.net (Anand Buddhdev) Date: Wed, 24 Mar 2010 12:43:05 -0700 Subject: [dns-wg] RIPE NCC Operated K-Root Server Now Distributing Root Zone Signed with DNSSEC Message-ID: <4BAA6B49.2060505@ripe.net> [Apologies for duplicate emails] Dear Colleagues, The K-root server, operated by the RIPE NCC, is now serving the signed root zone as part of a staged global deployment of DNSSEC across the root zone system. Starting with L-root in January 2010, the root servers began serving the signed root zone in batches in the form of a Deliberately Unvalidatable Root Zone (DURZ). This roll out period is scheduled to end in May 2010 and ICANN is scheduled to sign the root zone with real keys and release the trust anchor after 1 July 2010. For more information, please see: http://www.ripe.net/news/k-root-signed-dnssec.html If you have any questions about this, please don't hesitate to contact . Regards, Anand Buddhdev, DNS Services Manager, RIPE NCC From jim at rfc1035.com Wed Mar 24 20:57:33 2010 From: jim at rfc1035.com (Jim Reid) Date: Wed, 24 Mar 2010 19:57:33 +0000 Subject: [dns-wg] RIPE NCC Operated K-Root Server Now Distributing Root Zone Signed with DNSSEC In-Reply-To: <4BAA6B49.2060505@ripe.net> References: <4BAA6B49.2060505@ripe.net> Message-ID: <9FFECE57-140D-4BCC-A7B5-17AE28C441ED@rfc1035.com> On 24 Mar 2010, at 19:43, Anand Buddhdev wrote: > Dear Colleagues, > > The K-root server, operated by the RIPE NCC, is now serving the signed > root zone as part of a staged global deployment of DNSSEC across the > root zone system. This is excellent news Anand! My thanks to everyone at the NCC who has worked to make this possible.