[rsnog] FW: ICANN Launches Testing Platform for the KSK Rollover

Danko Jevtović danko.jevtovic at rnids.rs
Mon Mar 27 16:23:02 CEST 2017 

From: ICANN

Sent: Monday, March 27, 2017 4:16 PM
Subject: ICANN Launches Testing Platform for the KSK Rollover



Dear all,



ICANN is offering a testing platform for network operators and other 
interested parties to confirm that their systems can handle the automated 
update process for the upcoming Root Zone Domain Name Systems Security 
Extensions (DNSSEC) Key Signing Key (KSK) rollover. The KSK rollover is 
currently scheduled for 11 October 2017.



"Currently, seven hundred and fifty million people are using DNSSEC-validating 
resolvers that could be affected by the KSK rollover," said ICANN's Vice 
President of Research, Matt Larson. "The testing platform is an easy way for 
operators to confirm that their infrastructure supports the ability to handle 
the rollover without manual intervention."



Internet service providers, network operators and others who have enabled 
DNSSEC validation must update their systems with the new KSK. This can be done 
in one of two ways:



*	An operator can configure a new trust anchor manually by obtaining the new 
root zone KSK from the iana.org website 
athttps://www.iana.org/dnssec/files[iana.org] 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iana.org_dnssec_files&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=HyTT2ymvadmiQcmo6B088sWOukGjEbibHJ64u5rMiME&m=TNPXvtONjAAnVSedmMlrKkKD3h_yRdrtaddLwDup9gY&s=STS1dkGVJ7b7nn8dj-I4Yiar3cAOMy1Wk8IdFgpnxzI&e=> 
.
*	An operator can enable a feature available in many validating resolvers that 
automatically detects and configures a new root zone KSK as a trust anchor, in 
which case they need take no action.
*

Check to see if your systems are ready by visiting 
go.icann.org/KSKtest[go.icann.org] 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__go.icann.org_KSKtest&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=HyTT2ymvadmiQcmo6B088sWOukGjEbibHJ64u5rMiME&m=TNPXvtONjAAnVSedmMlrKkKD3h_yRdrtaddLwDup9gY&s=JY4zvqELSIMLIfvrZsNeHmSv1xUCGQhbHZxdc2VBiZc&e=> 
.



The KSK has been widely distributed and configured by every operator 
performing DNSSEC validation. If the validating resolvers using DNSSEC do not 
have the new key when the KSK is rolled, end users relying on those resolvers 
will encounter errors and be unable to access the Internet. A careful and 
coordinated effort is required to ensure that the update does not interfere 
with normal operations.

More information is available at www.icann.org/kskroll[icann.org] 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_kskroll&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=HyTT2ymvadmiQcmo6B088sWOukGjEbibHJ64u5rMiME&m=TNPXvtONjAAnVSedmMlrKkKD3h_yRdrtaddLwDup9gY&s=MB0VEmsYPlZSTpJTPk5uwAI4peF76wn9erl_EAYQNmk&e=> 
.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.rnids.rs/pipermail/rsnog/attachments/20170327/39981af4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4817 bytes
Desc: not available
URL: <https://lists.rnids.rs/pipermail/rsnog/attachments/20170327/39981af4/attachment.bin>

More information about the rsnog mailing list