nz DNSSEC KSK rollover - Standby Chain
Kia ora koutou, InternetNZ is beginning its return to routine DNSSEC operations. Starting on 15-07-2024, we will begin our improved process, which incorporates changes from internal and external reviews following the DNSSEC incident in May 2023. This will consist of four short maintenance windows, in which we will pause zone distribution to make changes, perform validation, and resume zone distribution. The status and scheduling will be posted to status.internetnz.nz. To be notified, subscribe to IRS Production > Zone Publish Window 1 We will change the DS TTL in DNSSEC policy for the standby chain of second level domains. This change addresses the issues encountered in May 2023. Window 2 We will perform a KSK rollover on the standby DNSSEC chain for nz, ac.nz, co.nz, net.nz, gen.nz, org.nz, govt.nz, parliament.nz, geek.nz, school.nz, kiwi.nz, iwi.nz, maori.nz, cri.nz, health.nz, and mil.nz This will generate new DNSSEC keys and add them to the standby signing chain. Window 3 We will mark the keys generated in window 2 as active in the standby DNSSEC chain. Window 4 Window 4 will occur after the TTL safety period (2xTLL, 2 Days) has lapsed and DNSSEC RRSET validation is possible via both the old keys and new keys. The DNSSEC policies updated in Window 1 with the correct TTL timing will be enforced, this will result in the safe retirement of the old keys and allow us to remove redundant keys from the zones. The current standby chain key tags for each zone are as follows: nz: 49157, ac.nz: 5938, co.nz: 59176, cri.nz: 19190, geek.nz: 7171, gen.nz: 48574, govt.nz: 18181, health.nz: 33694, iwi.nz: 58454, kiwi.nz: 47464, maori.nz: 21689, mil.nz: 43906, net.nz: 25105, org.nz: 24626, parliament.nz: 49424, school.nz: 27382 We would like to emphasise that if you encounter any DNSSEC issues, please report them to us via registry(a)internetnz.net.nz. We will keep you updated, and provide a summary report at the conclusion of incident-related work. Ngā mihi Josh -- Josh Simpson Product Infrastructure Lead InternetNZ | Ipurangi Aotearoa www.internetnz.nz
participants (1)
-
Josh Simpson