Re: Signing of the ARPA zone

[Joe Abley <joe.abley () icann org>]

Colleagues,

This is a follow-up to the operational announcement regarding changes to the ARPA top-level domain that was sent on 
2010-03-10. Apologies in advance for duplicates received through different mailing lists.

As of 2010-03-17 1630 UTC all the authoritative servers for ARPA are serving a signed ARPA zone.

We would like to solicit feedback from the technical community to allow us to identify any operational ill-effects that 
this change has caused. We will monitor this mailing list for feedback, and I will also distribute any feedback sent to 
me personally so that it can be considered.

If no harmful effects have been identified by 2010-03-21 the trust anchor for the ARPA zone will be published through 
the IANA ITAR at <https://itar.iana.org/>.

Regards,


Joe

Begin forwarded message:

> From: Joe Abley <joe.abley () icann org>
> Date: 10 March 2010 16:13:46 EST
> To: Joe Abley <joe.abley () icann org>
> Subject: Signing of the ARPA zone
>
> Colleagues,
>
> This is a technical, operational announcement regarding changes to the ARPA top-level domain. Apologies in advance 
> for duplicates received through different mailing lists.
>
> No specific action is requested of operators. This message is for your information only.
>
> The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA will be signed are as 
> follows:
>
> KSK Algorithm and Size: 2048 bit RSA
> KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
> KSK Signature Algorithm: SHA-256
> Validity period for signatures made with KSK: 15 days; new signatures published every 10 days
> ZSK Algorithm and Size: 1024 bit RSA
> ZSK Rollover: every 3 months
> ZSK Signature Algorithm: SHA-256
> Authenticated proof of non-existence: NSEC
> Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice per day
>
> The twelve root server operators [1] will begin to serve a signed ARPA zone instead of the (current) unsigned ARPA 
> zone during a maintenance window which will open at 2010-03-15 0001 UTC and close at 2010-03-17 2359 UTC. Individual 
> root server operators will carry out their maintenance at times within that window according to their own operational 
> preference.
>
> The trust anchor for the ARPA zone will be published in the ITAR [2], and in the root zone in the form of a DS record 
> once the root zone is signed.
>
> If you have any concerns or require further information, please let me know.
>
> Regards,
>
>
> Joe Abley
> Director DNS Operations, ICANN
>
> [1] <http://www.root-servers.org/>
> [2] <https://itar.iana.org/>