-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A KSK roll for the .gov zone will occur at the end of January, 2011. This key change is necessitated by a registry operator transition: VeriSign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov. It is important that you prepare for this key change NOW. DO NOT WAIT until late January, 2011, to take action: the changes described below should be made as soon as possible. Because .gov was signed prior to the signing of the root zone, it is reasonable to believe that many DNSSEC validators (usually part of recursive name servers) have the .gov zone's KSK statically configured as a trust anchor. Further, because automated trust anchor rollover software implementing the protocol described in RFC 5011 has not been widely available until recently, it is reasonable to believe that few validators with a statically configured .gov trust anchor would be able to understand a KSK roll using RFC 5011 semantics and update their trust anchor store automatically. VeriSign is sending this message to announce the impending .gov KSK roll so that the DNSSEC operational community will be informed of the change and has the opportunity to take the necessary steps to prepare for it. The .gov KSK roll will occur between 27 January 2011 and 31 January 2011. The rollover will not use RFC 5011 semantics because of issues surrounding the registry operator transition. The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone. Because the root zone has had DS records corresponding to the current .gov KSK since 27 October 2010, static configuration of a trust anchor for .gov is currently no longer strictly necessary. Because there will be no non-DNS-based mechanism to authenticate subsequent .gov KSKs, configuration of the .gov KSK as a trust anchor is NOT RECOMMENDED. Take these steps NOW to prepare for the .gov KSK roll in late January 2011: 1. If your DNSSEC validators DO NOT HAVE a trust anchor for the root zone configured, CONFIGURE the root zone's KSK as a trust anchor. An authenticated version of the root zone's KSK is available at http://data.iana.org/root-anchors/. 2. If your DNSSEC validators have a trust anchor for the .gov zone configured, REMOVE the .gov zone's KSK as a trust anchor from your validator's configuration. If you follow both steps above, your DNSSEC validators should continue to validate names in .gov, but the .gov KSK will be authenticated via the signed root's KSK rather than a locally configured trust anchor. DO NOT WAIT until late January, 2011, to take these actions: the trust anchor changes described above should be made as soon as possible. If you have any questions or comments, please send email to registrar@dotgov.gov or reply to this message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQEVAwUBTRJqVNdGiUJktOYBAQJaHQf+OKcKsnUySDLzwdMUdjDpFhvm53iJF4RN /fWMK+5ahTqWpWgDnMi0NZij6OKCu+jUtH75Q9z4iXglyQzl5rweL4N01jV7GquV tYO18ys2lQ7w07XFP2Y8568ckYeWkDgYGwHJ4GKRMW4/cyl6YlE3Z+sxMbn/O3/G CcaTgmVtVHkVvLJfPMotaE9M4ldAlM3yMAHQspadVPrBNtzmYUBjJhjvwe1XxAok UBJLwqubSnY2qoAsXrwcHov4Z1izxMiuLIthyjoc79r11J0CYzwDNpDd2QyPD/3y 7nFHlxCIYDm9r2lnv8sbc/p+/PuM7rpzpkCUvpWY9FArZWt7h7gSfA== =+pAa -----END PGP SIGNATURE-----