[Fwd: Signing of the ARPA zone]
FYI -------- Original Message -------- Subject: Signing of the ARPA zone Date: Wed, 10 Mar 2010 13:13:46 -0800 From: Joe Abley <joe.abley@icann.org> To: Joe Abley <joe.abley@icann.org> Colleagues, This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists. No specific action is requested of operators. This message is for your information only. The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows: KSK Algorithm and Size: 2048 bit RSA KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011 KSK Signature Algorithm: SHA-256 Validity period for signatures made with KSK: 15 days; new signatures published every 10 days ZSK Algorithm and Size: 1024 bit RSA ZSK Rollover: every 3 months ZSK Signature Algorithm: SHA-256 Authenticated proof of non-existence: NSEC Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference. The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed. If you have any concerns or require further information, please let me know. Regards, Joe Abley Director DNS Operations, ICANN [1] <http://www.root-servers.org/> [2] <https://itar.iana.org/>
Sorry Michuki, Listers, Just wondering .... from the document that you directed us together with the content of your mail it appears like we only have 12 root servers. My undersstanding that we have 13 root servers (interms of the allowable IP address) kindly clarify this.... BFN Okech JMMy blog --- On Wed, 3/10/10, Michuki Mwangi <michuki@swiftkenya.com> wrote: From: Michuki Mwangi <michuki@swiftkenya.com> Subject: [kictanet] [Fwd: Signing of the ARPA zone] To: okechjr@yahoo.com Cc: "KICTAnet ICT Policy Discussions" <kictanet@lists.kictanet.or.ke> Date: Wednesday, March 10, 2010, 9:20 PM FYI -------- Original Message -------- Subject: Signing of the ARPA zone Date: Wed, 10 Mar 2010 13:13:46 -0800 From: Joe Abley <joe.abley@icann.org> To: Joe Abley <joe.abley@icann.org> Colleagues, This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance for duplicates received through different mailing lists. No specific action is requested of operators. This message is for your information only. The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as follows: KSK Algorithm and Size: 2048 bit RSA KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011 KSK Signature Algorithm: SHA-256 Validity period for signatures made with KSK: 15 days; new signatures published every 10 days ZSK Algorithm and Size: 1024 bit RSA ZSK Rollover: every 3 months ZSK Signature Algorithm: SHA-256 Authenticated proof of non-existence: NSEC Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out their maintenance at times within that window according to their own operational preference. The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record once the root zone is signed. If you have any concerns or require further information, please let me know. Regards, Joe Abley Director DNS Operations, ICANN [1] <http://www.root-servers.org/> [2] <https://itar.iana.org/> _______________________________________________ kictanet mailing list kictanet@lists.kictanet.or.ke http://lists.kictanet.or.ke/mailman/listinfo/kictanet This message was sent to: okechjr@yahoo.com Unsubscribe or change your options at http://lists.kictanet.or.ke/mailman/options/kictanet/okechjr%40yahoo.com
hi, On Mon, Mar 22, 2010 at 9:56 AM, JM Okech <okechjr@yahoo.com> wrote:
Sorry Michuki, Listers, Just wondering .... from the document that you directed us together with the content of your mail it appears like we only have 12 root servers. My undersstanding that we have 13 root servers (interms of the allowable IP address) kindly clarify this....
historically, not all of the roots have served the ARPA zone, so "J" is not serving that zone. On dns-ops, DRC just pointed us to RFC 2870 section 2.5 if you are really interested. -- Cheers, McTim "A name indicates what we seek. An address indicates where it is. A route indicates how we get there." Jon Postel
Hi McTim, Joe, McTim wrote:
hi,
historically, not all of the roots have served the ARPA zone, so "J" is not serving that zone.
Thanks McTim, i totally missed the reference point that Okech was making from the original email.
On dns-ops, DRC just pointed us to RFC 2870 section 2.5 if you are really interested.
Which doesn't specifically say that J root does not serve ARPA but state in reference to what zones authoritative servers should serve. Regards, Michuki.
Hi Okech, JM Okech wrote:
Sorry Michuki, Listers, Just wondering .... from the document that you directed us together with the content of your mail it appears like we only have 12 root servers. My undersstanding that we have 13 root servers (interms of the allowable IP address) kindly clarify this....
There are 13 noted with letters A - M unless your page did not load completely please check and confirm. The limitation was as a result of the maximum DNS UDP packet size. The size set at 512bytes therefore has a limit on the amount of information that can be carried at any given time. Therefore using a short naming format "a.root-servers.net" plus the IPv4 address space it was only possible to fit in 13 of them. This has since changed. With the introduction of IPv6 glue for the Root-Servers and soon the DNSSEC information, there was need for a review of this limitation. EDNS0 allows DNS to pass through packets beyond 512bytes. However due to legacy systems and installations it does not work very well as these systems tend to block or drop DNS packets beyond 512bytes. The Wikipedia explanation for EDNS0 should give you the finer details of how it works. http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS Regards, Michuki.
participants (3)
-
JM Okech -
McTim -
Michuki Mwangi