<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">Hi, Carlos, everyone.</div>
<div class=""><br class="">
</div>
<div class="">I'm preparing a more technical announcement for dns-operations, NANOG, etc., that will go out tomorrow. The very short version is the the latest BIND and Unbound report trust anchor configuration to the root servers using the protocol defined
in RFC 8145. We didn't think that would be very useful for this first KSK roll because there would be so little deployment, but there are more resolvers reporting than we expected when we looked: 12,000 total in September or about 1400 unique per day (looking
at data from six root servers total). The percentage of resolvers with only KSK-2010 is about 5% total or 6%-8% per day. We decided that percentage, even from a small sample such as this, is too high to proceed until we have more information.</div>
<div class=""><br class="">
</div>
<div class="">Duane Wessels started the research on this and has done a great job. He's presenting it at DNS-OARC in San Jose on Friday.</div>
<div class=""><br class="">
</div>
<div class="">Matt</div>
<div class=""><br class="">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Sep 27, 2017, at 6:37 PM, Carlos Martinez <<a href="mailto:carlos@lacnic.net" class="">carlos@lacnic.net</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><img class="cloudmagic-smart-beacon" src="https://tr.cloudmagic.com/h/v6/emailtag/tag/2.0/1506562642/96f2d3060286ecbab9150cfe7cb38c63/5/5a1d1bdee27635000a29d0998e569e78/e8b40f40772b89528ce7457f565027f9/73804dc035dbd598f3854e8240569f3b/newton.gif" style="border:0; width:10px; height:10px;" width="10" height="10" align="right">
<div dir="auto" class="">I just received notification of this post :
<div class=""><br class="">
</div>
<div class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_news_announcement-2D2017-2D09-2D27-2Den&d=DwMCAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=xhCX8vQGcsNMzNMbgIokNle9Mpt6sQ45tM98iwh4H0w&m=ftjD2zURm3zq9tezdO0psa8pDq8b_NWWiB4tabBcG1c&s=VNV-T7jLPJYqRe819NeGDvTJ91FnJscxaaki6SDjn3c&e=" class="">https://www.icann.org/news/announcement-2017-09-27-en[icann.org]</a></div>
<div class=""><br class="">
</div>
<div class="">Is there more information to share ?<br class="">
<div class=""><br class="">
</div>
<div class="">Carlos<br class="">
<br class="">
<div id="cm_footer" class="cm_footer">
<div id="cm_signature" class="">Sent from a mobile device. Mis disculpas.
<div class="">Enviado desde un dispositivo movil.</div>
</div>
</div>
<br class="">
<div id="cm_replymail_content_wrap" class="">
<div class="cm_replymail_content_1506562470_wrapper">On Wed, Sep 20, 2017 at 2:25 PM, Matt Larson <<a href="mailto:matt.larson@icann.org" class="">matt.larson@icann.org</a>> wrote:<br class="">
<div id="cm_replymail_content_1506562470" style="overflow: visible;" class="">
<blockquote style="margin:0;border-left: #D6D6D6 1px solid;padding-left: 10px;" class="">
The root zone management partners, ICANN and Verisign, are working together to change the DNS root zone's key-signing key (KSK). This process is referred to as "rolling" the root zone KSK.<br class="">
<br class="">
The root zone's apex DNSKEY RRset has been signed with the same KSK, known as KSK-2010, since the root zone was first signed in July, 2010. On October 11, 2017, at approximately 1600 UTC, the root zone will be published with the apex DNSKEY RRset signed for
the first time with a new KSK, known as KSK-2017. The root zone apex DNSKEY RRset will be signed with only KSK-2017 going forward.<br class="">
<br class="">
While the specific date of the KSK rollover, October 11, 2017, had been announced previously, the time of 1600 UTC on that day has not been announced until now, which is the primary purpose of this message.<br class="">
<br class="">
The public portion of the root zone KSK is configured as a trust anchor in software performing DNSSEC validation. The configuration of any software performing DNSSEC validation will need to be updated to reference KSK-2017 on or before October 11, 2017, or
all DNS responses received by that software will fail DNSSEC validation, resulting ultimately in error messages to end users. In many cases, software performing DNSSEC validation supports "Automated Updates of DNS Security", the protocol defined in RFC 5011
that can automatically update a DNSSEC validator's trust anchor configuration. If the software does not support this protocol, or it is incorrectly implemented or not configured correctly, the trust anchor will need to be updated manually.<br class="">
<br class="">
Anyone operating software performing DNSSEC validation with the root zone KSK configured as a trust anchor must take action on or before October 11, 2017, to confirm that their software is configured with KSK-2017 as a trust anchor and, if not, take the necessary
steps to update the configuration.<br class="">
<br class="">
Further information about the root KSK rollover, including information about how to check and update the trust anchor configuration of popular recursive resolver implementations that support DNSSEC validation, is available at
<a href="https://icann.org/kskroll" class="">https://icann.org/kskroll</a>.<br class="">
<br class="">
For the root zone management partners,<br class="">
<br class="">
Matt Larson<br class="">
VP of Research, ICANN<br class="">
<br class="">
Duane Wessels<br class="">
Distinguished Engineer, Verisign<br class="">
<br class="">
_______________________________________________<br class="">
root-dnssec-announce mailing list<br class="">
<a href="mailto:root-dnssec-announce@icann.org" class="">root-dnssec-announce@icann.org</a><br class="">
<a href="https://mm.icann.org/mailman/listinfo/root-dnssec-announce" class="">https://mm.icann.org/mailman/listinfo/root-dnssec-announce</a><br class="">
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</body>
</html>