ARIN is proud to announce that on 27 April, we will place Delegation
Signer (DS) records into in-addr.arpa and ip6.arpa. At that point,
DNSSEC validation will occur from the root down if you properly set up
your DNSSEC-aware recursive resolver. ARIN's DNSSEC initiative will be
considered complete once these DS records are in place.
For most DNSSEC-aware recursive resolver operators, nothing needs to be
done for this change to be in effect as long as you have configured your
DNSSEC-aware server to use ICANN's Key Signing Key (KSK) for the root
zone. For those who have used ARIN's trust anchors (in place since 2
July 2009) to take advantage of DNSSEC before the root or in-addr.arpa
was signed, you MUST remove them within the next two months of this
date. Otherwise, DNSSEC validation may fail due to a KSK change.
Additionally, ARIN will also coordinate with Internet Systems
Consortium, Inc. (ISC) to remove ARIN's delegations from their DNSSEC
Lookaside Validation (DLV) registry after setting up these records in
in-addr.arpa and ip6.arpa.
The DS records will remain the same as the current trust anchor for the
next two months. After that time, ARIN will begin rolling a KSK for its
authoritative zones, which will cause any DNSSEC-enabled resolvers that
use ARIN's statically configured trust anchors to fail.
As always, ARIN welcomes community feedback regarding DNSSEC. Subscribe
and participate on the arin-tech-disc...@arin.net mailing list if you
have questions or comments.
Regards,
Mark Kosters
Chief Technical Officer
American Registry for Internet Numbers (ARIN)
_______________________________________________
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List (ARIN-announce@arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-announce
Please contact i...@arin.net if you experience any issues.
