DNSSEC key signing key (KSK) Roll over
Resolved
I will now mark the incident as resolved since notification has been sent to all the the impacted members.
If you have questions about the rollover, please send email to globalsupport@icann.org with "KSK Rollover" in the subject line.
Thanks
Posted Sep 20, 2018 - 11:36 CDT
Identified
Greetings,
Per the notification we received below, since 1 September 2017, thirty seven (37) IP addresses from WiscNet's network have sent at least one trust anchor configuration report indicating they were not configured with the new KSK (Key Signing Key). ICANN will change or "roll over" the new DNSSEC KSK of the DNS root zone on 11 October 2018.
If the DNS resolver configuration in your network is not updated with the new KSK before 11 October 2018, users of that resolver will not be able to resolve any DNS queries, resulting in a DNS outage.
The notification below is all the information we received regarding the new DNSSEC KSK.
If you have questions about the rollover, please send email to globalsupport@icann.org with "KSK Rollover" in the subject line.
Please do NOT reply to this message!
These are the IPs:
2381 198.150.224.111 MidStateTC
2381 198.150.224.112 MidStateTC
2381 198.150.66.6 NortheastTC
2381 204.145.232.66 WindingRiversLib
2381 205.213.104.222 SouthCentralLib
2381 205.213.112.1 BeloitSD
2381 205.213.117.239 MiddletonSD
2381 205.213.125.4 RacineSD
2381 205.213.125.5 RacineSD
2381 205.213.125.6 RacineSD
2381 205.213.125.7 RacineSD
2381 205.213.125.8 RacineSD
2381 205.213.163.68 CambridgeSD
2381 205.213.5.242 WaukeshaSD
2381 216.56.104.34 ElmbrookSD
2381 216.56.106.34 Whitnallsd
2381 216.56.109.35 Sheboygancity
2381 216.56.160.101 OutagamieWaupacaLib
2381 216.56.160.254 HortonvilleSD
2381 216.56.160.34 Northlandpinessd
2381 216.56.160.66 Marionsd
2381 216.56.161.194 Portedwardssd
2381 216.56.20.180 Newlondonsd
2381 216.56.22.34 OshkoshSD
2381 216.56.248.26 MukwonagoSD
2381 216.56.25.162 TwoRiversSD
2381 216.56.34.66 ElchoSD
2381 216.56.4.254 BurlingtonSD
2381 216.56.43.6 BarneveldSD
2381 216.56.61.228 NorwalkOntarioSD
2381 216.56.61.67 McFarlandSD
2381 216.56.66.66 SpoonerHealthSystem
2381 216.56.68.80 LadysmithHawkinsSD
2381 216.56.7.226 HowardsGroveSD
2381 216.56.80.50 SacredHeartSchTheo
2381 216.56.84.135 SheboyganAreaSD
2381 216.56.93.136 DePereSD
Thanks
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Below is the Notification we received
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
On 9/5/18, 2:41 PM, "ksk2018prep@icann.org" wrote:
As you may be aware, on 11 October 2018, ICANN will change or "roll over" the DNSSEC key signing key (KSK) of the DNS root zone. Based on information from your network received at the DNS root name servers, we believe that there *may* be at least one recursive resolver (also referred to as a recursive name server or caching name server) with DNSSEC validation enabled in AS2381 that is unprepared for the KSK rollover. If the resolver configuration is not updated with the new KSK before 11 October 2018, users of that resolver will not be able to resolve any DNS queries, resulting in a DNS outage for all users
attempting DNS lookups through that resolver.
To repeat this important point: any DNS resolvers on your network with DNSSEC validation enabled that are not properly updated to use the new KSK will unable to resolve names on 11 October 2018 or shortly
thereafter (the exact time of failure is uncertain due to caching).
At the end of this message, please find a list of IP addresses from AS2381 that since 1 September 2017 have sent at least one trust anchor configuration report indicating they were not configured with the new KSK.
Please note that these IP addresses appear in our records because they sent a trust anchor configuration report to one of the root name servers in the form of a DNS query following the protocol defined in RFC 8145 (https://www.rfc-editor.org/rfc/rfc8145.txt). Not just recursive resolvers but any device, including those belonging to end users (such as mobile phones), could potentially send such a query: we are aware of at least one multi-platform VPN software implementation that reported its lack of the new KSK using this mechanism. (This software has since been updated with the new KSK.) In addition, because these reports are made with a simple DNS query, they can be forwarded through multiple resolvers and can also be easily spoofed. Therefore, the presence of an IP address in the list below does not definitively indicate that a resolver at that address originated a trust anchor report.
Please also note that IP addresses on your network that are not on the list below could still be unprepared for the root KSK rollover: only very recent versions of certain resolver software actually report their trust anchor configuration to the root servers. Your network could still have recursive resolvers with DNSSEC validation enabled that are unprepared for the root KSK rollover on 11 October 2018. If you have not already done so, we would therefore encourage you to check any DNSSEC-validating recursive resolvers to confirm that these resolvers are configured with the new root zone KSK and are prepared for the root KSK rollover on 11 October 2018.
For more information on how to check whether a resolver you operate has the new KSK, see:
https://www.icann.org/dns-resolvers-checking-current-trust-anchors
For more information on how to update your resolver to use the new KSK, see:
https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
In advance of the rollover, we are running a short survey of network operators to assist ICANN in its assessment of networks' readiness for the root KSK rollover. Could we please kindly request that you
complete this very short survey about your preparedness for the root KSK rollover? The nine-question survey can be completed in under a minute:
https://www.research.net/r/KSKRolloverPreparedness?ASnumber=2381
We will be accepting responses until 13 September 2018.
For more information about the root KSK rollover project, see:
https://www.icann.org/kskroll
If you have questions about the rollover or this survey, please send email to globalsupport@icann.org with "KSK Rollover" in the subject line.
Kind regards,
The ICANN Root KSK Rollover Project Team
Posted Sep 20, 2018 - 11:19 CDT
This incident affected: Barneveld School District, Beloit School District, Burlington Area School District, Cambridge School District, De Pere School District, Elcho School District, Elmbrook School District, Hortonville Area School District, Howards Grove School District, School District of Ladysmith, Marion School District, McFarland School District, Mid-State Technical College, Middleton-Cross Plains Area School District, Mukwonago School District, New London School District, Northeast Wisconsin Technical College, Northland Pines School District, Norwalk-Ontario-Wilton School District, Oshkosh Area School District, Outagamie Waupaca Library System, Port Edwards School District, Racine Unified School District, Sacred Heart School of Theology, Sheboygan Area School District, City of Sheboygan, South Central Library System, Spooner Health System, Two Rivers Public School District, Whitnall School District, and Winding Rivers Library System.