[prev in list] [next in list] [prev in thread] [next in thread]
List: dns-operations
Subject: Re: [dns-operations] Plan documents for root KSK roll project now available
From: Matt Larson <matt () kahlerlarson ! org>
Date: 2016-07-26 16:35:12
Message-ID: 4EE0B5B7-E7F2-485A-AB17-5836CF354F93 () kahlerlarson ! org
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Somewhat embarrassingly, I managed to make two date-related mistakes in =
one paragraph in the announcement I posted. The corrected text should =
read:
> The process of creating a new key, using it to sign the root DNSKEY =
RRset and securely destroying the old key will start in Q4 2016 and last =
until Q3 2018, though the portions resulting in visible changes in DNS =
occur between Q3 2017 and Q1 2018. The important milestones in the =
project are:
The dates in the following paragraph were all correct, but I'll repeat =
them here for completeness:
> - October 26, 2016: The new KSK is generated in ICANN's U.S. East =
Coast key management facility (KMF).
> - February, 2017: The new KSK is copied to ICANN's U.S. West Coast KMF =
and is considered operationally ready, and ICANN publishes the new key =
at https://data.iana.org/root-anchors/root-anchors.xml =
<https://data.iana.org/root-anchors/root-anchors.xml>. (The exact date =
is dependent on the timing of the Q1 2017 key ceremony, which has not =
yet been scheduled.)
> - July 11, 2017: The new KSK appears in the root DNSKEY RRset for the =
first time.
> - October 11, 2017: The new KSK signs the root DNSKEY RRset (and the =
old KSK no longer signs). This date is the actual KSK rollover.
> - January 11, 2018: The old KSK is published as revoked (per RFC 5011, =
"Automated Updates of DNS Security").
I apologize for the error. I'd even had coffee already, so I can't =
blame lack of caffeine...
Matt
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;" class="">Somewhat embarrassingly, I \
managed to make two date-related mistakes in one paragraph in the announcement I \
posted. The corrected text should read:<br class=""><div class=""><br \
class=""></div><div class=""><blockquote type="cite" class=""><div class="" \
style="font-family: HelveticaNeue;"><span class="">The process of creating a new key, \
using it to sign the root DNSKEY RRset and securely destroying the old key will start \
in Q4 2016 and last until Q3 2018, though the portions resulting in visible changes \
in DNS occur between Q3 2017 and Q1 2018. The important milestones in the \
project are:</span></div></blockquote><div class=""><br class=""></div><div \
class="">The dates in the following paragraph were all correct, but I'll repeat them \
here for completeness:</div><br class=""><blockquote type="cite" class=""><div \
class="" style="font-family: HelveticaNeue;">- October 26, 2016: The new KSK is \
generated in ICANN's U.S. East Coast key management facility (KMF).</div><div \
class="" style="font-family: HelveticaNeue;"><font face="HelveticaNeue" class="">- \
February, 2017: The new KSK is copied to ICANN's U.S. West Coast KMF and is \
considered operationally ready, and ICANN publishes the new key at </font><a \
href="https://data.iana.org/root-anchors/root-anchors.xml" \
class="">https://data.iana.org/root-anchors/root-anchors.xml</a><span class="">. \
(The exact date is dependent on the timing of the Q1 2017 key ceremony, which \
has not yet been scheduled.)</span></div><div class="" style="font-family: \
HelveticaNeue;"><font face="HelveticaNeue" class="">- July 11, 2017: The new KSK \
appears in the root DNSKEY RRset for the first time.</font></div><div class="" \
style="font-family: HelveticaNeue;"><font face="HelveticaNeue" class="">- October 11, \
2017: The new KSK signs the root DNSKEY RRset (and the old KSK no longer signs). \
<i class="">This date is the actual KSK rollover.</i></font></div><div class="" \
style="font-family: HelveticaNeue;"><font face="HelveticaNeue" class="">- January 11, \
2018: The old KSK is published as revoked (per RFC 5011, "Automated Updates of DNS \
Security").</font></div></blockquote><br class=""></div><div class="">I apologize for \
the error. I'd even had coffee already, so I can't blame lack of \
caffeine...</div><div class=""><br class=""></div><div class="">Matt</div><div \
class=""><br class=""></div></body></html>
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic