<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Nova KSK Trust Anchor para atualizar nos DNS Recursivos.<br>

    </p>

    <div class="moz-forward-container"><br>

      -------- Forwarded Message --------

      <table cellpadding="0" cellspacing="0" border="0"

        class="moz-email-headers-table">

        <tbody>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Subject:

            </th>

            <td>[lacnog] Upcoming changes to the DNSSEC root trust

              anchor</td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Date: </th>

            <td>Tue, 5 Nov 2024 22:12:28 +0000</td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">From: </th>

            <td>Andres Pavez <a class="moz-txt-link-rfc2396E" href="mailto:andres.pavez@iana.org"><andres.pavez@iana.org></a></td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">Reply-To:

            </th>

            <td>Latin America and Caribbean Region Network Operators

              Group <a class="moz-txt-link-rfc2396E" href="mailto:lacnog@lacnic.net"><lacnog@lacnic.net></a></td>

          </tr>

          <tr>

            <th valign="BASELINE" align="RIGHT" nowrap="nowrap">To: </th>

            <td><a class="moz-txt-link-abbreviated" href="mailto:lacnog@lacnic.net">lacnog@lacnic.net</a> <a class="moz-txt-link-rfc2396E" href="mailto:lacnog@lacnic.net"><lacnog@lacnic.net></a></td>

          </tr>

        </tbody>

      </table>

      <br>

      <br>

      Dear Colleagues,<br>

      <br>

      We are reaching out to inform you of important changes to the

      DNSSEC trust anchor in the root zone. If you manage a validating

      DNS resolver or a tool that interacts with the DNS root zone you

      might need to change your software to handle the changes. This

      letter provides a summary of the upcoming changes and gives

      pointers to resources that describe them in detail.<br>

      <br>

      *Upcoming addition of the KSK-2024 trust anchor*<br>

      <br>

      On January 11, 2025, a new trust anchor, codenamed KSK-2024, will

      appear in the root zone for the global DNS. This key was generated

      earlier this year and will co-exist with the current trust anchor,

      codenamed KSK-2017. The new DNSKEY record is:<br>

      <br>

      . 172800 IN DNSKEY 257 3 8

      AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c

      idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb

      GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s

      iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp

      dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ

      1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe

      ayffKC73PYc=<br>

      <br>

      As a result of this addition, some DNS responses may be larger

      during the transition period. If your software uses the RFC 5011

      process for managing trust anchors, KSK-2024 will be automatically

      trusted about one month after its introduction to the root zone.

      There are two important planned dates:<br>

      <br>

      * October 11, 2026: KSK-2024 will begin signing the root zone.<br>

      * January 11, 2027: KSK-2017 is scheduled to be revoked.<br>

      <br>

      For a detailed description of the rollover process, please refer

      to <a class="moz-txt-link-freetext" href="https://www.iana.org/dnssec/files">https://www.iana.org/dnssec/files</a> <br>

      *New trust anchor file*<br>

      <br>

      IANA has issued a new trust anchor file using the updated XML

      format described in

      <a class="moz-txt-link-freetext" href="https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/">https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/</a> ,

      which has recently been approved to be published as an RFC. The

      new trust anchor file contains additional data that was not

      provided in previous versions of the file.<br>

      <br>

      If your software or processes use the IANA trust anchor file

      (published at <a class="moz-txt-link-freetext" href="https://data.iana.org/root-anchors/root-anchors.xml">https://data.iana.org/root-anchors/root-anchors.xml</a>

      ), you should ensure you have processes to retrieve it regularly

      (such as weekly) and check your systems can process the revised

      format of the file.<br>

      <br>

      *Keep in touch*<br>

      <br>

      Operational announcements regarding trust anchors and rollovers

      are published on the root-dnssec-announce mailing list at

      <a class="moz-txt-link-freetext" href="https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/">https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/</a>

      . A separate ksk-rollover mailing list is a forum for discussion

      specific to rollovers can be found at

      <a class="moz-txt-link-freetext" href="https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/">https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/</a> .<br>

      <br>

      Best regards,<br>

      <pre class="moz-signature">-- 

Andres Pavez Cryptographic Key Manager 

</pre>

    </div>

  </body>

</html>