Remember, remember 11th of October
Let's talk Root KSK Rollover! If you run your own resolver at home, or at the office, you need to act now. Let us show you how.
By now, you've probably already heard plenty about the Root KSK Rollover. If not you might find these sources educational:
We have now come to the point where time is of the essence. If you run your own resolver at home, or at the office, you need to act now.
Since the 11th of July the new trust anchor is published in the root zone.
Check your current status like this:
[prism lang="markup"]$ dig +edns=0 +multiline . dnskey
; <<>> DiG 9.8.3-P1 <<>> +edns=0 +multiline . dnskey
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63227
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 78938 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; key id = 19036
. 78938 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; key id = 20326
. 78938 IN DNSKEY 256 3 8 (
AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl
p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi
TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk
3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq
yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH
uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3
+pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA
jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=
) ; key id = 15768
;; Query time: 32 msec
;; SERVER: 172.17.41.10#53(172.17.41.10)
;; WHEN: Wed Sep 6 10:47:09 2017
;; MSG SIZE rcvd: 856[/prism]
As you can see, we do receive three keys. Two Key-Signing-Keys (KSK) and one Zone-Signing-Key (ZSK). The KSK with keytag 19036 is the old KSK, the one with the keytag 20326 is the new KSK.
Most modern resolver software can update the trust anchor automatically. This is defined in RFC 5011 and requires the resolver to check the root zone for new trust anchors, and it will accept the new trust anchor as secure if it sees the new trust anchors for 30 consecutive days in the root zone. The new trust anchor has now been in the root zone for more than 60 days and if your resolver is able to perform the automatic update, you should be able to see the new trust anchor being accepted by your resolver. Otherwise it is time to act.
You have until Sunday 10th of September to fix your resolver so it will update automatically, or prepare for a manual update before 11th of October.
So do yourself, and all the people relying on you, a favour today and check your resolver for the new trust anchor.
