This is a technical, operational announcement regarding changes to the ARPA top-level
domain. Apologies in advance for duplicates received through different mailing lists.
No specific action is requested of operators. This message is for your information only.
The ARPA zone is about to be signed using DNSSEC. The technical parameters by which ARPA
will be signed are as follows:
KSK Algorithm and Size: 2048 bit RSA
KSK Rollover: every 2-5 years, scheduled rollover to follow RFC 5011
KSK Signature Algorithm: SHA-256
Validity period for signatures made with KSK: 15 days; new signatures published every 10
ZSK Algorithm and Size: 1024 bit RSA
ZSK Rollover: every 3 months
ZSK Signature Algorithm: SHA-256
Authenticated proof of non-existence: NSEC
Validity period for signatures made with ZSK: 7 days; zone generated and re-signed twice
The twelve root server operators  will begin to serve a signed ARPA zone instead of the
(current) unsigned ARPA zone during a maintenance window which will open at 2010-03-15
0001 UTC and close at 2010-03-17 2359 UTC. Individual root server operators will carry out
their maintenance at times within that window according to their own operational
The trust anchor for the ARPA zone will be published in the ITAR , and in the root zone
in the form of a DS record once the root zone is signed.
If you have any concerns or require further information, please let me know.
Director DNS Operations, ICANN
Show replies by thread