[technique] [Fwd: Fwd: Important DNSSEC information about unprepared DNS resolvers in AS197422]

Laurent GUERBY laurent at guerby.net
Mer 22 Aou 09:00:14 CEST 2018


-------- Forwarded Message --------
Subject: Important DNSSEC information about unprepared DNS resolvers
Date: Tue, 21 Aug 2018 23:36:19 +0000
From: ICANN Root KSK Roll Preparedness Survey <ksk2018prep at icann.org>
To: abuse at tetaneutral dot net

On 11 October 2018, ICANN will change or "roll over" the DNSSEC key
signing key (KSK) of the DNS root zone. Based on information from your
network received at the DNS root name servers [1], we believe that
there may be at least one recursive resolver (also referred to as a
recursive name server or caching name server) with DNSSEC validation
enabled in AS197422 that is unprepared for the KSK rollover. If that
resolver is not updated before 11 October 2018, users of that resolver
will not be able to resolve any DNS queries, resulting in an outage
for them.

To repeat this important point: any DNS resolvers on your network with
DNSSEC validation enabled that are not properly updated to use the new
KSK will fail on 11 October 2018 or shortly thereafter.

For more information on how to check whether a resolver you operate
has the new KSK, see:

For more information on how to update your resolver to use the new
KSK, see:

In advance of the rollover, we are running a short survey of network
operators who we believe are running one or more validating DNS
resolvers that we believe may be unprepared for the rollover. Your
participation in the survey will be valuable to the entire operations

Please take the survey about your preparedness for the root KSK


We will be accepting responses for 14 days, ending on 4 September 2018.

For more information about the root KSK rollover project, see:

If you have questions about the rollover or this survey, please send
email to globalsupport at icann.org with "KSK Rollover" in the subject

[1] One or more resolvers on your network appear to be configured to
send queries to the root name servers to report their DNSSEC trust
anchor configuration. Please see RFC 8145
(https://www.rfc-editor.org/rfc/rfc8145.txt) for more information
about this reporting mechanism.

Plus d'informations sur la liste de diffusion technique