From enumvoipsip.cs at schiefner.de Thu Mar 4 12:51:17 2010 From: enumvoipsip.cs at schiefner.de (Carsten Schiefner) Date: Thu, 04 Mar 2010 12:51:17 +0100 Subject: [enum-wg] First call for RIPE 60 ENUM WG agenda Message-ID: <4B8F9EB5.5020002@schiefner.de> Dear ENUM WG colleagues, we are just a little more than eight weeks away from RIPE 60 (3-7 May in Prague, http://www.ripe.net/ripe/meetings/ripe-60/ ) - and time flies. Niall O'Reilly and I are looking for input from you all for the agenda of the ENUM WG for this meeting: offers to give presentations, suggestions for presentations from others, and warnings of topics to avoid for lack of interest. To begin with, here is a list of 'regular' topics we usually cover during an ENUM WG session: - Updates from countries with 'significant' developments - ENUM in production: operations, uptake, strategy Best regards - and we look forward to seeing many of you in Prague in early May: Carsten Schiefner Co-Chair, RIPE ENUM Working Group From wnagele at ripe.net Thu Mar 11 16:25:57 2010 From: wnagele at ripe.net (Wolfgang Nagele) Date: Thu, 11 Mar 2010 16:25:57 +0100 Subject: [enum-wg] Signed .ARPA Zone Roll Out On K-root Message-ID: <4B990B85.80206@ripe.net> [Apologies for duplicates] Dear Colleagues, As outlined by Joe Abley, ICANN, on the RIPE DNS Working Group mailing list, the DNS root servers will switch to a signed .ARPA zone at the beginning of next week. The mailing list archives can be found at: http://www.ripe.net/ripe/maillists/archives/dns-wg/index.html As the operator of K-root, the RIPE NCC has planned a maintenance window on 15 March 2010 between 09:00-13:00 UTC. During this period we will roll out the signed .ARPA zone. We will inform the working group once this change has been carried out. Regards, Wolfgang Nagele RIPE NCC DNS System Engineer From wnagele at ripe.net Tue Mar 16 15:04:19 2010 From: wnagele at ripe.net (Wolfgang Nagele) Date: Tue, 16 Mar 2010 15:04:19 +0100 Subject: [enum-wg] Signed .ARPA Zone Roll Out On K-root Message-ID: <4B9F8FE3.9010306@ripe.net> [Apologies for duplicate emails] Dear Colleagues, We successfully rolled out the signed .ARPA zone on K-root. Regards, Wolfgang Nagele RIPE NCC DNS System Engineer From sjoerdoo at ripe.net Wed Mar 24 11:46:30 2010 From: sjoerdoo at ripe.net (Sjoerd Oostdijck) Date: Wed, 24 Mar 2010 11:46:30 +0100 Subject: [enum-wg] Re: [dns-wg] DNSSEC Signer Replacement Project In-Reply-To: <4B7D622C.5090304@ripe.net> References: <4B7D622C.5090304@ripe.net> Message-ID: <4BA9ED86.5010907@ripe.net> Dear Colleagues, Please note that the new keys have been pre-published in the usual place at: https://www.ripe.net/projects/disi//keys/ Regards, Sjoerd Oostdijck. Andrei Robachevsky wrote: > Dear Colleagues, > > As noted during RIPE 59, the RIPE NCC is upgrading the current DNSSEC > provisioning infrastructure. This project includes the replacement of > current software signers with a more secure hardware solution. > > During this migration, an exception will be made to the double signing > policy outlined in our key maintenance procedure, which is available at: > https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html > > In order to reduce the likelihood of validation errors as much as > possible during the migration, a one-time exception will be made to the > policy of double signing our Key Signing Keys (KSKs). This is because it > is not possible to exchange keys between our old and new signers. To > prevent signing all our zones on two signers and then merging the > results, we will pre-publish the new KSK in March 2010 as a one-time > exception. > > The DNSSEC signer migration will involve the steps detailed below. The > dates align with our standard key rollover timings, as detailed on our > website at: > https://www.ripe.net/projects/disi//keys/ > > On Tuesday, 2 March 2010, our signer will switch to the currently > pre-published Zone Signing Key (ZSK). This ZSK will not be rolled over > again until Monday, 14 June 2010. No new trust anchors need to be > configured for resolvers at this point. > > On Tuesday, 23 March 2010, we will pre-publish a new KSK and ZSK in our > zones. The new KSK will be available in our trust anchor repository, > also available at: > https://www.ripe.net/projects/disi//keys/ > > One KSK will be in use, but both KSKs must be configured as trust > anchors in DNSSEC validating resolvers. > > On Monday, 14 June 2010, the old KSK and ZSK will be deprecated. Only > the new keys will be able to validate. One KSK will be in use. > > On Tuesday, 21 September 2010, we will publish a new KSK on our website > and continue with our usual double signing policy. Two keys will then be > in use. > > Given that the parent zones of the RIPE NCC's zones are likely to be > signed in the near future, we will continue to follow the current key > maintenance procedure and lifetimes after the migration in completed. > This will allow us to make a more informed decision on the RIPE NCC's > key lifetimes when the policies for our parent zones are known. > > Regards, > > Andrei Robachevsky > Chief Technical Officer > RIPE NCC > -- Sjoerd Oostdijck RIPE Network Coordination Centre DNS Services group Singel 258, Amsterdam, NL http://www.ripe.net +31 20 535 4444