Root Zone KSK Ceremony VII

Joe Abley joe.abley at icann.org
Wed Sep 28 22:18:36 UTC 2011


Colleagues,

ICANN will execute KSK Ceremony VII to support DNSSEC signatures in the root zone in Q1/2012 in Culpeper, VA, USA on Friday 30 September 2011. For more information regarding the logistics of the ceremony, please refer to <http://dns.icann.org/ksk/ceremony/ceremony-7/>.

The timing of ceremony VII is slightly earlier than the usual schedule in order to accommodate Trusted Community Representative (TCR) travel, and to avoid clashes with other meetings in October and November. As a result the final signature in the Key Signature Request (KSR) ICANN will receive from VeriSign has an expiration date that exceeds the normal maximum signature validity period by a number of days. This maximum signature validity was enforced in the software used in previous key ceremonies to produce a Signed Key Response (SKR).

ICANN has modified the KSR processing software used in the ceremony according to its documented internal Software Development Life-Cycle (SDLC), such that a KSR with a signature that extends beyond the usual maximum validity period now triggers a prominent warning rather than a hard error. When this warning occurs during KSK Ceremony VII, it will be logged and described in detail in order to ensure that all observers are fully aware of its meaning.

The updated software (incorporated in the updated DVD image which will be used in Ceremony VII) has been published at <http://data.iana.org/ksk-ceremony/7/> to facilitate public review. All system binaries on the new DVD image have been verified to be identical to that used in previous ceremonies, with the exception of the updated KSR-processing binaries for which source is provided.

Regards,


Joe Abley
Director DNS Operations
ICANN


More information about the root-dnssec-announce mailing list