DNS DHCP IPAM

Reply
Accepted Solution

DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

ninolaudani
Techie
Posts: 2
3603     0

Dear reader, has anyone experience with updating the root zone trust anchor for validating singed records? RFC5011 describes the possibility of automatic updates, however, how is it done by Infoblox? Or is the only wat to subscribe to a ICANN mailling list and wait for the announcement of the KSK rollover? Any suggestion on-topic is welcome, and thanks in advance for your effort. 

 

Nino.

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

GHorne Community Manager
Community Manager
Posts: 243
3604     0

There currently is no RFC5011 support in infoblox, but things could change by the time the keys roll over.

 

right now, yes, just wait for the announcement, but you will have time. The last published timeline was this:

 

https://www.icann.org/resources/pages/ksk-rollover

 

- October 26, 2016: The new KSK is generated in ICANN's U.S. East Coast key management facility (KMF).
- February, 2017: The new KSK is copied to ICANN's U.S. West Coast KMF and is considered operationally ready, and ICANN publishes the new key at https://data.iana.org/root-anchors/root-anchors.xml.  (The exact date is dependent on the timing of the Q1 2017 key ceremony, which has not yet been scheduled.)
- July 11, 2017: The new KSK appears in the root DNSKEY RRset for the first time.
- October 11, 2017: The new KSK signs the root DNSKEY RRset (and the old KSK no longer signs).  This date is the actual KSK rollover.
- January 11, 2018: The old KSK is published as revoked (per RFC 5011, "Automated Updates of DNS Security").

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

Expert
Posts: 46
3604     0

I guess, Infoblox will just add the new root KSK in upcoming releases and remove the obsolete KSK when its safe to be removed.

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

Authority
Posts: 21
3604     0

No, currently the trust anchors must be manually configured by an Admin in the Grid DNS Properties.

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

[ Edited ]
ninolaudani
Techie
Posts: 2
3604     0

Thanks for your reply! Adding new KSK to the DNSSEC validation config, normallly is not something Infoblox does, but you will have to perform yourself as an admin.

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

StefanvanH
Techie
Posts: 6
3604     0

Any news on this ? 

Does Infoblox support RFC-5011 perhaps in version 8 ?

The date for the Root KSK rollover is anounced and will be done on 11th october 2017.

Would be nice if admins don't have to do anything and just sitback and relax if RFC-5011 is implemented Smiley Happy

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

Adviser
Posts: 92
3604     0

StefanvanH wrote:

Any news on this ? 

Does Infoblox support RFC-5011 perhaps in version 8 ?

The date for the Root KSK rollover is anounced and will be done on 11th october 2017.

Would be nice if admins don't have to do anything and just sitback and relax if RFC-5011 is implemented Smiley Happy


To get an answer on this, you will want to open a case with Infoblox Support. If nothing is available yet, this will help with getting your request the proper visibility as this is how demand for certain features is gauged.

Re: DNSSEC validation - root zone trust anchor updates (root zone ksk rollover)

[ Edited ]
EPeeters
Techie
Posts: 9
3604     0

 

 

There is a KB article describing how to do it manually:

#5729: Key signing key for the root zone scheduled to change on October 11, 2017

Showing results for 
Search instead for 
Do you mean 

Recommended for You