[BPF] Fwd: Upcoming changes to the DNSSEC root trust anchor

[Fernando Frediani]

Nova KSK Trust Anchor para atualizar nos DNS Recursivos.


-------- Forwarded Message --------
Subject: 	[lacnog] Upcoming changes to the DNSSEC root trust anchor
Date: 	Tue, 5 Nov 2024 22:12:28 +0000
From: 	Andres Pavez <andres.pavez em iana.org>
Reply-To: 	Latin America and Caribbean Region Network Operators Group 
<lacnog em lacnic.net>
To: 	lacnog em lacnic.net <lacnog em lacnic.net>



Dear Colleagues,

We are reaching out to inform you of important changes to the DNSSEC 
trust anchor in the root zone. If you manage a validating DNS resolver 
or a tool that interacts with the DNS root zone you might need to change 
your software to handle the changes. This letter provides a summary of 
the upcoming changes and gives pointers to resources that describe them 
in detail.

*Upcoming addition of the KSK-2024 trust anchor*

On January 11, 2025, a new trust anchor, codenamed KSK-2024, will appear 
in the root zone for the global DNS. This key was generated earlier this 
year and will co-exist with the current trust anchor, codenamed 
KSK-2017. The new DNSKEY record is:

. 172800 IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/c 
idltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHb 
GiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+s 
iFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqp 
dVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ 
1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUe ayffKC73PYc=

As a result of this addition, some DNS responses may be larger during 
the transition period. If your software uses the RFC 5011 process for 
managing trust anchors, KSK-2024 will be automatically trusted about one 
month after its introduction to the root zone. There are two important 
planned dates:

* October 11, 2026: KSK-2024 will begin signing the root zone.
* January 11, 2027: KSK-2017 is scheduled to be revoked.

For a detailed description of the rollover process, please refer to 
https://www.iana.org/dnssec/files
*New trust anchor file*

IANA has issued a new trust anchor file using the updated XML format 
described in 
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ , which 
has recently been approved to be published as an RFC. The new trust 
anchor file contains additional data that was not provided in previous 
versions of the file.

If your software or processes use the IANA trust anchor file (published 
at https://data.iana.org/root-anchors/root-anchors.xml ), you should 
ensure you have processes to retrieve it regularly (such as weekly) and 
check your systems can process the revised format of the file.

*Keep in touch*

Operational announcements regarding trust anchors and rollovers are 
published on the root-dnssec-announce mailing list at 
https://lists.icann.org/postorius/lists/root-dnssec-announce.icann.org/ 
. A separate ksk-rollover mailing list is a forum for discussion 
specific to rollovers can be found at 
https://lists.icann.org/postorius/lists/ksk-rollover.icann.org/ .

Best regards,

-- 
Andres Pavez Cryptographic Key Manager
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://listas.brasilpeeringforum.org/pipermail/bpf/attachments/20241105/14d443d3/attachment.html>