Note for coming ksk rollover experiment
A newly generated KSK will be published into the Yeti root zone for experiment today. Volunteer resolvers are welcome to join this test. There are some notes for your information:
1) Two actions:
-
A new key(59302 ) will be published today at the serial 2017030200
-
The document and KSK.pub file on the Github repo and yeti website will be update to contain two keys 10 days later(2017-03-12), leaving 10 days to welcome new resolver to join this experiment.
2) About the timeline:
Slot 1: 2017-02-20 to 2017-03-01 change the RRSIG validity period
Slot 2: 2017-03-02 to 2017-03-11 publish the new KSK
Slot 3: 2017-03-12 to 2017-03-23 publish the new KSK
Slot 4: 2017-03-24 to 2017-04-03 publish the new KSK
Slot 5: 2017-04-03 to 2017-04-13 publish the new KSK
Slot 6: 2017-04-14 to 2017-04-23 sign with the new KSK
Slot 7: 2017-04-24 to 2017-05-03 sign with the new KSK
Slot 8: 2017-05-04 to 2017-05-13 revoke the old KSK
Slot 9: 2017-05-14 to 2017-05-23 no longer publish the old KSK
3) For BIND users:
In the last KSK rollover experiment, we found multiple views of BIND may cause problem during the rollover period. Recently ISC published a post to explain it and ask BIND users to aware the change during the KSK rollover.
https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/
4) For new resolver
If you would like to join the experiment, please follow the instructions in http://yeti-dns.org/join.html and set it up before 2017-03-12, because the page will be changed containing the two keys for new comer to start with.
Please let us know, if you found something weird during the experiment.
5) Reference