Important DNS information about unprepared DNSSSEC-validating resolvers

[icecream-guy]

As you may be aware, on 11 October 2018, ICANN will change or "roll over" the DNSSEC key signing key (KSK) of the DNS root zone. Based on information from your network received at the DNS root name servers, we believe that there *may* be at least one recursive resolver (also referred to as a recursive name server or caching name server) with DNSSEC validation enabled in your AS that is unprepared for the KSK rollover. If the resolver configuration is not updated with the new KSK before 11 October 2018, users of that resolver will not be able to resolve any DNS queries, resulting in a DNS outage for all users attempting DNS lookups through that resolver.

To repeat this important point: any DNS resolvers on your network with DNSSEC validation enabled that are not properly updated to use the new KSK will unable to resolve names on 11 October 2018 or shortly thereafter (the exact time of failure is uncertain due to caching).


Please note that these IP addresses appear in our records because they sent a trust anchor configuration report to one of the root name servers in the form of a DNS query following the protocol defined in RFC 8145 (https://www.rfc-editor.org/rfc/rfc8145.txt). Not just recursive resolvers but any device, including those belonging to end users (such as mobile phones), could potentially send such a query: we are aware of at least one multi-platform VPN software implementation that reported its lack of the new KSK using this mechanism. (This software has since been updated with the new KSK.) In addition, because these reports are made with a simple DNS query, they can be forwarded through multiple resolvers and can also be easily spoofed. Therefore, the presence of an IP address in the list below does not definitively indicate that a resolver at that address originated a trust anchor report.

Please also note that IP addresses on your network that are not on the list below could still be unprepared for the root KSK rollover: only very recent versions of certain resolver software actually report their trust anchor configuration to the root servers. Your network could still have recursive resolvers with DNSSEC validation enabled that are unprepared for the root KSK rollover on 11 October 2018. If you have not already done so, we would therefore encourage you to check any DNSSEC-validating recursive resolvers to confirm that these resolvers are configured with the new root zone KSK and are prepared for the root KSK rollover on 11 October 2018.

For more information on how to check whether a resolver you operate has the new KSK, see:
  https://www.icann.org/dns-resolvers-checking-current-trust-anchors

For more information on how to update your resolver to use the new KSK, see:
  https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

For more information about the root KSK rollover project, see:
  https://www.icann.org/kskroll

If you have questions about the rollover or this survey, please send email to globalsupport@icann.org with "KSK Rollover" in the subject line.

Kind regards,

The ICANN Root KSK Rollover Project Team

[deanwebb]

Sounds like I need to read up on that KSK stuff...

[SimonV]

Don't forget to submit your vacation requests for the 11th!