Algorithm Upgrade for RIPE NCC DNS Zones
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear colleagues, All the zones maintained by the RIPE NCC are signed with the RSA/SHA1 algorithm. At the RIPE 70 meeting we committed to upgrade the algorithm of all our zones. We required an updated version of our signer software that could sign a zone with two different algorithms at the same time. We then needed to test it, to ensure that we could switch algorithms without causing major validation errors. We published a RIPE Labs article about our experiences here: https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over We are happy to announce that we are now ready to roll the keys of all our zones and sign them with the RSA/SHA256 algorithm. We will follow the process described in the RIPE Labs article. We plan to begin the roll-over on Monday, 30 November 2015. We would still like to exercise caution, so we will not roll the keys of all zones at the same time. We will do this in batches, starting with a small number of reverse DNS zones of the RIPE Meeting address space. If you have any questions, please send an email to <dns@ripe.net>. Regards, Anand Buddhdev RIPE NCC -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWVuZ8AAoJEBXgoyUMySoFoHYP+weE0kP6hkbeRJLDO610v612 ZyE81BkNQs6LE/lufAyMLkA36b3J9mVvDcmc2ciuRWdFLef3Z4XD2X+BG0mAAJgM cy4nD7Hx+6m9h3nGGT62CJTneXXNMyqzozcQIDdEyau8qUVM91/SgDFgBJWmnMML JC34hXWb5au5S+Bus/Vaq4iMtROQAq3F6xXR4xiEQoU+XwbOLkWU6WjqwCaJfYZ5 UBaQtpdcqNOjKXyVlDoF6LJnxgxW3kXMi98FEQ8Ye0oYri/h98gdt6BWYfhf5kTY aU7RTAJ2V0ksOVmipSQIT5KkrmV3mwOiuAWjVJYaVJWxmYoHdyMlhtHpUJT4LV1P KvN/XXSZdjBawCNib8zjFFXb79cFRBZ8PMm55W5pcwYNipAK71mlmhEIop8PX3ee oYwU1MzxNoREP3zYWWgolJhhzJsGpZP1ceRJwI4pKQpz4xFju0tJHBQAHICI8Z1R yinf2H0rYPKKyaBNt9aYB/LsTGdh+ccIl4o4/Ep4sc102cemT11mf4QYCeYUIjZW wULcgf4L7d8m3NCa33i5zX44TlQ7xTjdW4m60auSdaRjlUsLTewYkAkrhC5G+aZP oA4RYJVwi0dSbw62S03+MN2senWgSfZe85jqgMX24u/W7XNp59va9wA8nPVJVPl/ XbAQ69qXXKbldMdI4CI2 =/Pwl -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dear colleagues, I am happy to report that we have completed the roll-over of the keys of all our zones, and upgraded the signatures to RSA/SHA256. Regards, Anand Buddhdev RIPE NCC On 26/11/15 12:01, Anand Buddhdev wrote:
Dear colleagues,
All the zones maintained by the RIPE NCC are signed with the RSA/SHA1 algorithm. At the RIPE 70 meeting we committed to upgrade the algorithm of all our zones.
We required an updated version of our signer software that could sign a zone with two different algorithms at the same time. We then needed to test it, to ensure that we could switch algorithms without causing major validation errors. We published a RIPE Labs article about our experiences here:
https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over
We are happy to announce that we are now ready to roll the keys of all our zones and sign them with the RSA/SHA256 algorithm. We will follow the process described in the RIPE Labs article. We plan to begin the roll-over on Monday, 30 November 2015. We would still like to exercise caution, so we will not roll the keys of all zones at the same time. We will do this in batches, starting with a small number of reverse DNS zones of the RIPE Meeting address space.
If you have any questions, please send an email to <dns@ripe.net>.
Regards,
Anand Buddhdev RIPE NCC
-----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWd/XRAAoJEBXgoyUMySoFt+IP+QERNpy8jPqLkIVe51/55yga XxgUFHkFUiZ2FsVf7OIWvU3bCK4thKSjidGb3cYwkwG/i5xEzXkEn6jhj6m++ZJD lyg65TnQRTJ6eZZ8TfoXrfSC8QMQlFh1RB0zZhLbfeaUkFBksj2DuiwLbYLtSrU1 Iiadh2rOeMO0xTG6JecCn8QCjQQhfG1c/tnKF21gfTo0azd3lT0y8WeQ2b1anir0 UiewFpsi19yEUKaUCYrif9QU61UPR1oKa+LhQuvGMAc7jZ0E5Jqnu3AwyHOlbR20 gobLtkbvdOnwc3sTzPABEs9R6Q2pjKsdAfqVxNiUfNoHPXhYyy3FHdjPclW0ztmx q839jk+aXY7t8oc2EqRkVtT5vk4gAVPesrMJBQZbXlXj8HVs8+G0ytrmTzpok8QD qULAuxRHEgD5LLzHxzutK33UPTPSxgRau8xPMAUwhmmiLudKREOyP29Tx6JFR99B c8lIeXgJu2Hj5dAzP/D1lmiKdwuyHb0nnd8q2+m97gTA9ljExozLDHoGnxmb2rAh 3EOizejloRDBrCS3/ugInAVyKRKyOUZyLNOjYoI3IsVGL3Gxys/5Bk4VcGnOKd6i poexaZokM8l3WTugtbhkmwOS3qi3llZIXrFDsvsKpKMkLDaB/nXsImPRGpwDGjyo ltLT3p91fWYusjKJU/IK =KJMr -----END PGP SIGNATURE-----
On 21 Dec 2015, at 12:51, Anand Buddhdev <anandb@ripe.net> wrote:
I am happy to report that we have completed the roll-over of the keys of all our zones, and upgraded the signatures to RSA/SHA256.
Well done! Congratulations to you and your colleagues Anand for the successful completion of this task. Are there any experiences or lessons learned during this rollover that are worth sharing with the WG?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 21/12/15 13:57, Jim Reid wrote:
Well done! Congratulations to you and your colleagues Anand for the successful completion of this task.
Thanks Jim!
Are there any experiences or lessons learned during this rollover that are worth sharing with the WG?
Yes. We actually tested algorithm roll-over, and wrote about our experiences in a RIPE Labs article before starting the process. Here's the link again, as a reminder: https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over In this article, we talk about one issue we faced, and how we overcame it. When rolling the algorithm of our zones, we followed the procedure we had developed, taking care of this issue, and as a result, there were no validation failures during the roll-over. Regards, Anand Buddhdev RIPE NCC -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWd/q4AAoJEBXgoyUMySoFiSYP/2jf7B9xFRGqhaOapKk4N8U8 4qIMBadEjeibSaK+JJONImHsHRvlEkNboLTLNGH/NCPJFjQqNfDAwVyrNbfdvq9j 87LCLdaCXNBo5YeW/tXCQPjvw16Acc6qSGMEvfIkSQLKTkpJIg6Jz/8WPutjVCCo DCw/xwlm6g/n1J+eV65YZ+QFAH65hjdoHHHGOfBSbDeF/mz8qDo7Fq0llmHrmo/o Gx8ho/8kwVZfiRZHW+V+BuKk4e316HgQKjxIJHtefymfGGFDU0Jlsvu9NVW9a9ON dzUvGZ84qikD+D8aGBADM0Cf/2p2+wZD08b1b8bjYXuJj5gmwsKM8NWV2jf/nxhw zLhn0R3sPnzzfZTCv+MG2RaF9ymgyehiOCdlcdnHcj9M0ioeEqdRksh2fb+/9cs6 MnPhXxkU0uJHUZvjk15gRsq6fcwP9cP7h4VHvgBczjKTirJD+Qo2DWIqLyakfcdd waJzmuBt8MsX2m2yArGgqW1m8wRceSWEdlR+1kE5dm5X0EkHn3FWPaSyPzYs4FoY KEQa7EBUGz/KLs16UGRqlYGvDDHW6hjCRkMdx3XMzhsAB3f0xz7lg6BQVPs8zt6l 1CBH14AcTMC/s+RDjaV3Lhrdr7XgfgFe9aCSJ3xMFQE2BD1mRTSgfKnDLf3Zi7YK h93J79PMTWIIQ54VsEAI =aSva -----END PGP SIGNATURE-----
participants (2)
-
Anand Buddhdev -
Jim Reid