\nICANN<\/abbr>\u00a0is planning to perform a\u00a0Root Zone<\/abbr>\u00a0Domain Name<\/abbr>\u00a0System\u00a0Security<\/abbr>\u00a0Extensions (DNSSEC<\/abbr>) KSK rollover as required in the\u00a0Root Zone<\/abbr>\u00a0KSK Operator\u00a0DNSSEC<\/abbr>\u00a0Practice Statement<\/a>\u00a0[TXT, 99 KB].<\/p>\n
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other\u00a0Domain Name<\/abbr>\u00a0System (DNS<\/abbr>) resolver operators;\u00a0DNS<\/abbr>\u00a0resolver software developers; system integrators; and hardware and software distributors who install or ship the root’s “trust anchor.” The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the\u00a0Root Zone<\/abbr>\u00a0Maintainer to\u00a0DNSSEC<\/abbr>-sign the root zone of the Internet’s\u00a0DNS<\/abbr>.<\/p>\n Maintaining an up-to-date KSK is essential to ensuring\u00a0DNSSEC<\/abbr>-validating\u00a0DNS<\/abbr>\u00a0resolvers continue to function following the rollover.\u00a0<\/strong>Failure to have the current root zone KSK will mean that\u00a0DNSSEC<\/abbr>-validating\u00a0DNS<\/abbr>\u00a0resolvers will be unable to resolve any\u00a0DNS<\/abbr>\u00a0queries.<\/p>\n If you are running bind the quickest way to check is this:<\/p>\n If your configuration shows\u00a0 A little Background on the rollover From:\u00a0https:\/\/www.icann.org\/resources\/pages\/ksk-rollover\/#overview ICANN\u00a0is planning to perform a\u00a0Root Zone\u00a0Domain Name\u00a0System\u00a0Security\u00a0Extensions (DNSSEC) KSK rollover as required in the\u00a0Root Zone\u00a0KSK Operator\u00a0DNSSEC\u00a0Practice Statement\u00a0[TXT, 99 KB]. Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[17,274,2],"tags":[199,40,638,542,108],"jetpack_publicize_connections":[],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VLMf-EB","jetpack-related-posts":[{"id":2000,"url":"http:\/\/www.mtin.net\/blog\/client-subnet-in-dns-requests\/","url_meta":{"origin":2517,"position":0},"title":"Client subnet in DNS requests","author":"j2sw","date":"January 18, 2018","format":false,"excerpt":"Some Light Reading: https:\/\/tools.ietf.org\/html\/draft-vandergaast-edns-client-subnet-00 Many Authoritative nameservers today return different replies based on the perceived topological location of the user. These servers use the IP address of the incoming query to identify that location. Since most queries come from intermediate recursive resolvers, the source address is that of the recursive\u2026","rel":"","context":"In "xISP"","block_context":{"text":"xISP","link":"http:\/\/www.mtin.net\/blog\/category\/xisp\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":342,"url":"http:\/\/www.mtin.net\/blog\/change-to-h-root-servers-net\/","url_meta":{"origin":2517,"position":1},"title":"Change to H.ROOT-SERVERS.NET","author":"j2sw","date":"August 31, 2015","format":false,"excerpt":"Posted to NANOG This is advance notice that there is a scheduled change to the IP addresses for one of the authorities listed for the DNS root zone and the .ARPA TLD. The change is to H.ROOT-SERVERS.NET, which is administered by the U.S. Army Research Laboratory. The new IPv4 address\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":36,"url":"http:\/\/www.mtin.net\/blog\/make-your-own-cisco-rollover-cable\/","url_meta":{"origin":2517,"position":2},"title":"Make your own Cisco Rollover Cable","author":"j2sw","date":"March 11, 2018","format":false,"excerpt":"In a pinch, you can make your own Cisco Rollover Cable.\u00a0 Or, if you want a longer cable so you aren't holding your laptop in weird ways while standing in front of a rack of routers.\u00a0 Great for labs as well.","rel":"","context":"In "cisco"","block_context":{"text":"cisco","link":"http:\/\/www.mtin.net\/blog\/category\/cisco\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":2063,"url":"http:\/\/www.mtin.net\/blog\/everything-you-wanted-to-know-about-root-name-servers\/","url_meta":{"origin":2517,"position":3},"title":"Everything you wanted to know about Root Name Servers","author":"j2sw","date":"February 14, 2018","format":false,"excerpt":"One of the foundations of the Internet is DNS.\u00a0 We have talked about DNS alot. http:\/\/www.mtin.net\/blog\/?s=DNS&submit=Search There have been TBW Podcasts about DNS So are you ready to get your geek on? Let's start with who operates the root name Servers. A quick visit to: http:\/\/www.root-servers.org\/ NetNod will explain the\u2026","rel":"","context":"In "Networking"","block_context":{"text":"Networking","link":"http:\/\/www.mtin.net\/blog\/category\/networking\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":39,"url":"http:\/\/www.mtin.net\/blog\/cisco-rolled-cable\/","url_meta":{"origin":2517,"position":4},"title":"Cisco Rolled Cable","author":"j2sw","date":"March 24, 2014","format":false,"excerpt":"I was recently talking to a gentleman who came by and purchased some excess Cisco gear for his CCNA\/CCNP studies. \u00a0I got on the topic of he didn't need the special cisco cable if he had serial to ethernet adaptors. \u00a0Basically a Cisco rolled cable is just a cable with\u2026","rel":"","context":"In "DIY"","block_context":{"text":"DIY","link":"http:\/\/www.mtin.net\/blog\/category\/diy\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":297,"url":"http:\/\/www.mtin.net\/blog\/protecting-your-mikrotik-from-dns-amplification\/","url_meta":{"origin":2517,"position":5},"title":"Protecting your Mikrotik from DNS Amplification","author":"j2sw","date":"May 8, 2015","format":false,"excerpt":"There are several reasons and benefits to using your Mikrotik as a DNS caching server. \u00a0Queries to the client are just a tad faster, which makes the overall user experience seem snappier. \u00a0It also allows you to quickly change upstream DNS servers in the even of an outage, attack, etc.\u2026","rel":"","context":"In \"amplification\"","block_context":{"text":"amplification","link":"http:\/\/www.mtin.net\/blog\/tag\/amplification\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2517"}],"collection":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/comments?post=2517"}],"version-history":[{"count":1,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2517\/revisions"}],"predecessor-version":[{"id":2519,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/posts\/2517\/revisions\/2519"}],"wp:attachment":[{"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/media?parent=2517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/categories?post=2517"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.mtin.net\/blog\/wp-json\/wp\/v2\/tags?post=2517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}dnssec-validation yes;<\/code><\/strong>, you\u00a0must<\/b>\u00a0change it to\u00a0dnssec-validation auto;<\/code><\/strong>and restart your server before taking the steps below. This is in your named.conf<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/www.mtin.net\/blog\/wp-content\/uploads\/2018\/10\/Screen-Shot-2018-10-15-at-2.40.51-PM.png?resize=300%2C131\")
<\/p>\n","protected":false},"excerpt":{"rendered":"