RIPE NCC DNSSEC Key Maintenance: Preemptive Key Signing Key Rollover
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Apologies for duplicate e-mails] Dear Colleagues, Due to the recently published weakness in PKCS 1.5 signatures in OpenSSL RSA crypto, the RIPE NCC will be performing an key signing key (KSK) rollover earlier than planned. We have completed the first phase of the procedure and have published the new Key Signing Keys (KSK's). The deprecated keys will remain valid for a maximum of three months. We recommend that you reconfigure any resolvers to use the new keys. You can download them from: https://www.ripe.net/projects/disi//keys/ripe-ncc-dnssec-keys-new.txt The DNSSEC Key Maintenance Procedure is available at: https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html The following references may be useful: http://www.openssl.org/news/secadv_20060905.txt http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 We thank you for your patience and apologise for any inconvenience this maintenance may cause. If you have any questions regarding this maintenance please e-mail: ops@ripe.net. Regards, Ruben van Staveren Operations Group RIPE NCC -----BEGIN PGP SIGNATURE----- Comment: For info see https://www.ripe.net/rs/pgp/ iD8DBQFFCVSambreNIsOKy8RAsRWAJ9jVQT++r9aZ3b0sCAl+IMFaUQLrgCfTtFb 5Az85tIv7TrWHVYoyt4Wvto= =tvtB -----END PGP SIGNATURE----- -- Ruben van Staveren RIPE Network Coordination Center Operations Group Singel 258 Amsterdam NL http://www.ripe.net +31 20 535 4444 PGP finger print 6501 4389 A675 477E DCE5 53D8 9108 49E2 DAFC 271B
as a suggestion, could you -please- put a date on the web page that indicates when the keys were generated or expected to be valid? --bill On Thu, Sep 14, 2006 at 03:16:15PM +0200, Ruben van Staveren wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
[Apologies for duplicate e-mails]
Dear Colleagues,
Due to the recently published weakness in PKCS 1.5 signatures in OpenSSL RSA crypto, the RIPE NCC will be performing an key signing key (KSK) rollover earlier than planned.
We have completed the first phase of the procedure and have published the new Key Signing Keys (KSK's). The deprecated keys will remain valid for a maximum of three months.
We recommend that you reconfigure any resolvers to use the new keys. You can download them from: https://www.ripe.net/projects/disi//keys/ripe-ncc-dnssec-keys-new.txt
The DNSSEC Key Maintenance Procedure is available at: https://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html
The following references may be useful: http://www.openssl.org/news/secadv_20060905.txt http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
We thank you for your patience and apologise for any inconvenience this maintenance may cause.
If you have any questions regarding this maintenance please e-mail: ops@ripe.net.
Regards,
Ruben van Staveren Operations Group RIPE NCC -----BEGIN PGP SIGNATURE----- Comment: For info see https://www.ripe.net/rs/pgp/
iD8DBQFFCVSambreNIsOKy8RAsRWAJ9jVQT++r9aZ3b0sCAl+IMFaUQLrgCfTtFb 5Az85tIv7TrWHVYoyt4Wvto= =tvtB -----END PGP SIGNATURE-----
-- Ruben van Staveren RIPE Network Coordination Center Operations Group Singel 258 Amsterdam NL http://www.ripe.net +31 20 535 4444 PGP finger print 6501 4389 A675 477E DCE5 53D8 9108 49E2 DAFC 271B
On 14Sep 2006, at 7:03 PM, bmanning@vacation.karoshi.com wrote:
as a suggestion, could you -please- put a date on the web page that indicates when the keys were generated or expected to be valid?
I agree the inception date to be very handy. But an expected end date has the danger that people will hard code such thing into their scripts and that might prevent rolls just like the one we see now. The minimal time they are to be valid would be OK. Then the script can take that as its TTL. I would also like to point this community to draft-ietf-dnsext- trustupdate-timers which is very relevant in this context --in terms of a standarized method for automatic rollovers-- and is about to be last called. [1] http://tools.ietf.org/wg/dnsext/draft-ietf-dnsext-trustupdate- timers/ ---Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
participants (3)
-
bmanning@vacation.karoshi.com -
Olaf M. Kolkman -
Ruben van Staveren