[dnssec-deployment] .br KSK rollover
Matthijs Mekking
matthijs at NLnetLabs.nl
Tue Jul 1 04:24:28 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just FYI...
RFC5011 has been mentioned so often on the list lately that it seems to
make sense to tell folk that an implementation of a little client-side
daemon that implements 5011 is in the making here at labs. It is
intended to work with both Unbound and BIND trust-anchor configurations.
If you are interested in testing a beta version, drop a mail to my
e-mail address. The release is scheduled for this summer.
Regards,
Matthijs Mekking
Mats.Dufberg at teliasonera.com wrote:
> Do you have any plans for supporting RFC 5011 in upcoming KSK rollovers?
> As an operator of DNSsec enabled resolvers I see that as the key to
> wide-spread inclusion of a trust anchor.
>
> Do you have your policy document in English?
>
>
> Yours,
> Mats
>
> ------------------------------------------
> Mats Dufberg
> TeliaSonera
> BBS P&P VAS/Internet
> +46-70-2582588
> mats.dufberg at teliasonera.com
> ------------------------------------------
>
>
>> -----Original Message-----
>> From: DNSSEC deployment
>> [mailto:dnssec-deployment at shinkuro.com] On Behalf Of
>> Frederico A C Neves
>> Sent: den 26 juni 2008 00:46
>> To: DNSSEC deployment
>> Subject: [dnssec-deployment] .br KSK rollover
>>
>> Dear DNSSEC experts and enthusiasts,
>>
>> According to our ".br DNSSEC Keys Publication and Management Policy"
>> [1], since 2008-06-24 a new KSK for the .br zone is in use. The new
>> key with key id 18457 and configuration samples for BIND and UNBOUND
>> can be found below [3] or at our website [2].
>>
>> The key used since 2007-06-04, with key id 61207, will not be valid
>> from 2008-08-25.
>>
>> If you run DNSSEC enabled recursive servers and have the .br key as a
>> trust anchor, don't forget to update the .br KSK in your servers
>> configuration. Substitution of the .br trust anchor for the new .br
>> KSK must be done no later than 2008-08-25, when the rollover period
>> finishes.
>>
>> Regards,
>> Frederico Neves
>>
>> [1] http://registro.br/info/dnssec-policy.html
>> [2] https://registro.br/ksk/index.html
>> [3]
>> *DNS RR
>> br. IN DNSKEY 257 3 5 (
>>
>> AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJB
>>
>> NmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPq
>>
>> Xr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1N
>>
>> GbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hN
>>
>> x94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=
>> ) ; key id = 18457
>>
>>
>> *BIND trusted-keys config
>> trusted-keys {
>> br. 257 3 5
>>
>> "AwEAAdDoVnG9CyHbPUL2rTnE22uN66gQCrUW5W0NTXJB
>>
>> NmpZXP27w7PMNpyw3XCFQWP/XsT0pdzeEGJ400kdbbPq
>>
>> Xr2lnmEtWMjj3Z/ejR8mZbJ/6OWJQ0k/2YOyo6Tiab1N
>>
>> GbGfs513y6dy1hOFpz+peZzGsCmcaCsTAv+DP/wmm+hN
>>
>> x94QqhVx0bmFUiCVUFKU3TS1GP415eykXvYDjNpy6AM=";
>> };
>>
>>
>> *UNBOUND trust-anchor config
>> trust-anchor: "br. DS 18457 5 1
>> 1067149C134A5B5FF8FC5ED0996E4E9E50AC21B1"
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIaem8IXqNzxRs6egRAph4AJ9WGI2dr/Ht8SDy89ki6uxkRnmsxgCfSiIh
bQQM/5P8P20H9SdFewOEgLo=
=rE0d
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment
mailing list