Operational Notification: KSK-2010 will be retired from the root zone, potentially affecting validating resolvers

Michael McNally mcnally at isc.org
Thu Sep 28 21:10:18 UTC 2017


To all BIND server operators --

Many of you may already be aware of yesterday's announcement
from ICANN concerning the postponement of one of the steps
in the currently-in-progress root zone KSK rollover.

  https://www.icann.org/news/announcement-2017-09-27-en

Specifically, they have announced that the 11 October 2017
date that was planned for the retirement of KSK-2010 will
be postponed for at least three months because root zone
trust anchor telemetry data sent by servers running BIND and
other DNS server software indicates that many operators are
still unprepared for the change and using soon-to-be-retired
trust anchors.

To help our users be sure that they are prepared for the
transition when it occurs we have prepared an Operational
Notification concerning the KSK rollover:

  https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html

If you are operating a server which performs DNSSEC validation
we suggest that you take a few moments to read the notification
and follow its suggestions to ensure that you are prepared when
ICANN resume the root KSK rollover.

Michael McNally
ISC Security Officer



More information about the bind-announce mailing list