Posts from October 2016.

Root DNSSEC Key Ceremony 27 Attestation


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday, October 27, I attended the Root DNSSEC Key Ceremony 27,
administered by Public Technical Identifiers (PTI), the administrator
of the IANA functions and an affiliate of ICANN, which was held in
PTI's key management facility (KMF) in Culpeper, Virginia, USA.

ICANN and PTI are in the process of rolling the root zone key-signing
key (KSK) and details about that project are available at:

https://www.icann.org/resources/pages/ksk-rollover

I attest that a new key intended to be the next root zone KSK was
generated at that ceremony, and that the following DS record
corresponds to the newly generated key:

. IN DS 20326 8 2 E06D44B80B8F1D39A95COBOD7C65D08458E880409BBC683457104237C7F8EC8D

The key will not be declared operationally ready until it is imported
into the hardware security modules (HSMs) in PTI's second KMF in El
Segundo, CA, at the next root key ceremony planned for February, 2017.
Provided that ceremony is successful and that subsequent root KSK
rollover plans proceed according to schedule, the key attested to
above will become the next root zone KSK and be used to sign the root
zone's key set on October 11, 2017.

I further attest that the ceremony followed the script published at
https://data.iana.org/ksk-ceremony/27/KC27_Script.pdf, with one minor
exception relating to the formatting of USB drives used to transport
signed material out of the ceremony room.

Disclosure: I am employed by ICANN as VP of Research and sometimes act
as a Ceremony Administrator (CA) for root key ceremonies.

Matt Larson
28 October 2017
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlgTpoMACgkQATXaA1CYG0VqFgCeINrlVQDIDAMZO0RtlftiNYMj
5CgAniFE+fdA9MQY/BE3VwG0dEvhHsU/
=sM6f
-----END PGP SIGNATURE-----

Episode 48

In Episode 48, we are pleased to welcome Bert Hubert of PowerDNS fame to the show.  We reach into the mailbag to answer Nic Waller’s question about measuring which names in a zone are actually queried, Jesus Cea asked about proving domain ownership to obtain a Let’s Encrypt certificate (which caused us to do some actual research before recording!), and long-suffering listener Yiorgos Adamopoulos gamely sent in a question about using the block chain for name resolution.  As usual, we indulge in light banter completely unrelated to DNS, this time on outrageous cell phone roaming charges and Dutch pipe organs.