[ksk-rollover] Infoblox does not support RFC5011

Lagerholm, Stephan Stephan.Lagerholm1 at T-Mobile.com
Wed Jun 21 18:52:02 UTC 2017

Hi ,

About a week or so ago I got a notification email from Infoblox that they do not support RFC5011. They are referring to a Knowledge base article on their site on how to enable the new key in the products, see below. I know that Infoblox is a common product in the marketplace. It worries me that some of their customers will not get/read/take action on the notification resulting in that resolution will start to fail on Oct 11th.  Especially the US Govt. sector worries me as they have various mandates to implement DNSSEC but (based on my own experience and some speculation) sometimes lacks the skills and long term vision to maintain it properly. Is there any additional outreach or action that can be taken to make sure that the KSK rollover don't break Infoblox customers?

Dear Customer,

In 2016 the Internet Corporation for Assigned Names and Numbers (ICANN) announced<http://app.e.infoblox.com/e/er?s=953&lid=5086&elqTrackId=EDFAFB40787A8022D6B38CB9D62FEDEE&elq=f359f85170894eb28fe78ec6c1d4d824&elqaid=13120&elqat=1> a two-year execution plan for rolling the Root Zone Domain Name System Security Extensions (DNSSEC) KSK key.

According to that plan, on October 11, 2017, a new KSK key will be used to sign the Root Zone DNSKEY resource record set (the actual rollover event). This requires an action on your part.

Rolling the KSK key means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries which would lead to an outage.

Currently Infoblox NIOS does not support "Automated Updates of DNS Security (DNSSEC) Trust Anchors" feature (RFC-5011) that automatically updates the key. Therefore, the new Root Zone KSK key must be manually updated on all DNSSEC validation enabled servers.

Please refer to Infoblox Support KB # 5729<https://support.infoblox.com/app/utils/login_form/redirect/answers%252Fdetail%252Fa_id%252F5672%252Fkw%252FICANN?elqTrackId=67C1F69D23B24D2B3F64EE38F0F79CE0&elq=f359f85170894eb28fe78ec6c1d4d824&elqaid=13120&elqat=1&elqCampaignId=10969> for the ICANN plan details and steps to update the new Root Zone KSK key to prevent potential DNS resolution issues.


Infoblox Support Team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20170621/cab2eb0f/attachment.html>

More information about the ksk-rollover mailing list