[arin-announce] ARIN DNSSEC Changes Completed

[ARIN]

On 27 April, ARIN placed Delegation Signer (DS) records into 
in-addr.arpa and ip6.arpa. Now DNSSEC validation will occur from the 
root down if you properly set up your DNSSEC-aware recursive resolver.

For most DNSSEC-aware recursive resolver operators, nothing needs to be 
done for this change to be in effect as long as you have configured your 
DNSSEC-aware server to use ICANN’s trust anchor for the root zone. For 
those who have used ARIN’s trust anchors (in place since 2 July 2009) to 
take advantage of DNSSEC before the root or in-addr.arpa was signed, you 
MUST remove them within the next two months of this date. Otherwise, 
DNSSEC validation may fail due to a KSK change to ARIN’s zones. 
Additionally, ARIN will also coordinate with Internet Systems 
Consortium, Inc. (ISC) to remove ARIN's delegations from their DNSSEC 
Lookaside Validation (DLV) registry after setting up these records in 
in-addr.arpa and ip6.arpa.

The DS records will remain the same as the current trust anchor for the 
next two months. After that time, ARIN will begin rolling a KSK for its 
authoritative zones, which will cause any DNSSEC-enabled resolvers that 
use ARIN’s statically, configured trust anchors to fail.

For full details on DNSSEC at ARIN, refer to: 
https://www.arin.net/resources/dnssec/

As always, ARIN welcomes community feedback regarding DNSSEC. Subscribe 
and participate on the arin-tech-discuss at arin.net mailing list if you 
have questions or comments.

Regards,

Mark Kosters
Chief Technical Officer
American Registry for Internet Numbers (ARIN)