-
Public Consultations
-
Reference
-
Statistics
-
Publications
-
Blog
- Brexit and .fr
- Analysis of the .RE
- Brands answer the call to the 2nd ‘Cercle des .marque’ event
- About the attack on French ISPs’ DNS resolvers
- Using Afnic open data : example with the term COVID
- Hosting a domain name with compound characters
- Eligibility of a holder located in the United Kingdom post Brexit
- Can compound characters be used in a domain name?
- Functioning of Afnic during lockdown
- Which Top Level Domains have an IP address?
- Lala Andriamampianina, may you rest in peace
- Resolutions for 2020: Afnic goes elliptic
- 6 tips to prevent your website from being hacked
- In search of low-cost nTLDs
- Exploring the city through the .paris community
- .org - an alternative perspective
- Looking back on the success of the first meeting of the Cercle des .marque
- Key success factors for Internet extensions: an evaluation grid
- [Video] Conclusions on the Internet Governance Forum (IGF) France 2019
- A brief example of using Afnic Open Data
- Food for thought on the "new TLD" business models
- 30 years of success and danger: the Web, URLs and the future
- [Success stories] Strengthen your infrastructure to suit your ambitions
- February 1, 2019: is the DNS going to shake?
- [Success stories] They chose to have their own TLD
- [Success stories] .museum, how a historic Internet suffix was revived
- The main steps in effectively launching your .brand
- 6 secrets on how to improve the renewal of domain names
- [Video] Back to IGF 2018 in Paris
- A .BRAND to enhance customer experience
- Afnic commits to DNS security at the international level
- Replacement of the KSK of the root zone: Are you ready?
- How the SNCF implemented its new digital strategy with oui.sncf
- Franco-Dutch research project on automatic classification of domain name abuse
- The auditive memorization of domain names
- What are the possible actions against domain name abuses?
- Identity theft by domain name: what Afnic does
- Cybersquatting, Spam, Phishing… the different types of domain name abuses
- [Video] Review of the French Internet Governance Forum 2018
- Custom Internet extensions: the opportunities for brands
- How to avoid inadmissibility in the SYRELI procedure
- Which English terms are most used in .FR domain names?
- Domain name security, the example of cryptocurrencies
- What are the terms most used in .fr domain names?
- Personality test: Are you ready for GDPR?
- Do GeoTLDs like .alsace have an effect on local SEO?
- The 11 vital locations to display your domain name!
- What means of action for a Right-holder ineligible under the Naming Policy?
- Domain name litigation: the recognition of an AOC rights in the SYRELI procedure
- Why choose a domain name under a geoTLD?
- Afnic, a community first and foremost!
- The defense of personality rights in the SYRELI procedure
- When will the next round of the new gTLDs take place?
- A million good reasons for coming to the Afnic Forum...
- Yeti DNS-over-TLS public resolver
- 2016, the beginning of a new cycle for Afnic
- .fr has just passed the 3 million domain names milestone
- My experience inside the Afnic Legal Department
- Future of ICANN Privatization? Internationalization? Supervision?
- Excellence at Afnic - Our coming-out
- Speech at the transmittal of the IANA Stewardship Transition Plan
- Exclusive offer: 100% money back on your domain name*!
- 8 tips for choosing the right domain name
- IPv6 and DNSSEC are respectively 20 and 19 years old. Same fight and challenges?
- L.45-2 paragraph 1 of the CPCE: When a domain name disrupts the French law
- How to avoid getting your domain name stolen by email?
- Accountability and IANA transition: behind the scenes
- Stop selling domain names!
- abc.xyz : erratum.xyz
- A comprehensive approach to French regional branding
- abc.xyz : Meanwhile, back in France…
- abc.xyz: Why not alphabet.com? (The conspiracy theory version)
- abc.xyz : The controversial success of .xyz
- Corporate Communications, Constant Crisis
- abc.xyz : Why not alphabet.com ?
- alphabet.xyz : How Alphabet got its domain name
- abc.xyz : Don't worry, we're still getting used to the name too!
- IANA transition crosses a major milestone in Buenos Aires
- A day in the life of the Icann empowered community
- IANA transition : the machine is moving, but the deadline is approaching
- Corporate Social Responsibility and the DNA of ccTLDs
- China Changing in Leaps and Bounds
- Towards a less intrusive DNS
- ICANN: what does accountability stand for?
- ICANN Singapore. A debate at the other end of the world
- ICANN Reform, or opening Pandora's box
- Internet Governance Forum: What is to be done?
- Slam spam!
- Icann : freeze !
- Scams and identity theft, the experience of a SYRELI reporter
- French Regional Reform Does Not Mean the End of GeoTLDs
- Lessons Learnt from NETmundial
- Suggestions for a successful IANA transition
- Wind of change at Afnic!
- Back to the future of the Afnic Legal Service
- The US Backs ICANN for Internet Governance
- Should the registrars streamline their gTLD strategy?
- The IANA elephant in the room
- 2014 : change of course for the naming system
- Why do regions want a place online?
- What can Afnic do?
- Internet governance: let’s get to work!
-
FAQ
-
Glossary
-
Certificates
Replacement of the KSK of the root zone: Are you ready?
09 October 2018 - By Vincent Levigneron
On 18 September ICANN published a decision of its Board. It puts an end to more than 2 years of procrastination over the replacement of the KSK (Key Signing Key) of the root zone. The replacement will take place on October 11, 2018.
The reason is that since the implementation of DNSSEC in 2010 in the root zone, the same cryptographic key (called KSK-2010*) has been used to sign the ZSK (Zone Signing Key) which has been used to sign on its turn the root zone. KSK-2010 represents the entry point which, by the interplay of delegations, it is possible to create a chain of trust validating the integrity of a response on a DNS record within a signed zone. This explains why it is strategic.
The decision is especially relevant if you operate, for yourself or for your customers, a DNS resolution service configured to perform DNSSEC validation. In this case, there is still time to comply if you do not yet have KSK-2017 in your keyset.
Why the hell, in 2018, name the key KSK-2017?
Quite simply because the key, created in 2016, was supposed to come into use in 2017. However, ICANN was forced to postpone the operation due to several alerts from community members who were worried about the impact it could have on users. This has triggered impact studies that all concluded that there would indeed be a visible impact. For example, the implementation of RFC-8145 which is used, among other things, by validating resolvers to indicate which trust keys are used for the root, has made it possible to collect data for analysis. The data show that even if a majority of the resolvers "participating" in the data collection are familiar with the 2 keys (KSK-2010 and KSK-2017), the figure of 100% has not yet been reached.
However, given the guarantee that the most important players in the sector are now ready for the change and the conviction that the few percentages of non-compliant resolvers actually represent only a "small" fraction (on the scale of the Internet, it could still quickly represent a few million users), ICANN has decided to cross the Rubicon on October 11. Only a few more days to wait and we shall see the real impact of the change.
So if you are directly concerned, and your validating DNS resolver does not contain these 2 keys, you need to quickly add KSK-2017 to your keyset to anticipate the validation problems. Consulting the 2 links provided at the end of this post should allow you to carry out the operation.
(*) In actual fact, the keys are not identified with these 2 labels (KSK-2010 / KSK-2017) but by integers called "Key Tags". KSK-2010 and KSK-2017 have respectively 19036 and 20326 as "Key Tag".
How to check that your resolver is familiar with KSK-2017?
Logically, on a recent version of Bind, Unbound... the implementation of RFC-5011 ensures the presence of the 2 keys (KSK-2010 and KSK-2017). Here is a non-exhaustive list of a few tests to validate that this is the case.
If you use:
- Unbound: check the file "/var/lib/unbound/root.key" (Caution, it may be elsewhere if the configuration has been customized).
- Bind: on recent versions (> 9.11), use the command "rndc managed-keys status"; on the others, you have to look for one of the bind.keys files, managed-keys.bind or *.mkeys (it depends on your configuration).
- Knot Resolver: type the command "trust_anchors.keysets" in the console.
- PowerDNS Recursor: type the command "rec_control get-tas".
For more detailed information, we recommend the following 2 links:
Other useful Afnic links on DNSSEC:
(*) In actual fact, the keys are not identified with these 2 labels (KSK-2010 / KSK-2017) but by integers called "Key Tags". KSK-2010 and KSK-2017 have respectively 19036 and 20326 as "Key Tag".
Is this domain
available ?
News
- March 16, 2021 Afnic joins the Renaissance Numérique Think Tank
- March 12, 2021 Afnic and the Swedish Internet Foundation extend their collaborative Zonemaster ...
- March 11, 2021 .FR in 2020: acceleration of the digital transformation among businesses and ret...
- March 1, 2021 Report Internet of Things & Digital Sovereignty
- February 12, 2021 Afnic sponsors the TV program Connecte Ta Boîte