[Nlnog] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Wed Apr 14 23:19:26 UTC 2010


This is the fourth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.


RESOURCES

Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.


DOCUMENTATION

The following draft document was recently published:

 - Resolver Testing with a DURZ
 - TCR - Proposed Approach to Root Key Management

ICANN has begun the process of formally soliciting expressions of
interest for volunteers from the technical community to act as
Trusted Community Representatives. These volunteers will witness
cryptographic key ceremonies and also carry out various important
roles relating to KSK key management. For more information, see:

  http://www.icann.org/en/announcements/announcement-12apr10-en.htm

Expressions of interest can be submitted here:

  http://www.root-dnssec.org/tcr/


DEPLOYMENT STATUS

KSR exchanges continue between production platforms at VeriSign
and ICANN.

Build-out of KSK Key Ceremony facilities at ICANN continues, and
both facilities (east- and west-coast USA) are expected to be ready
on schedule.

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have now made the transition
to the DURZ.  No harmful effects have been identified.  Some early
analysis of packet captures from many root servers surrounding each
event was recently presented at the IETF meeting in Anaheim, CA,
USA and can be found with other presentation materials at
<http://www.root-dnssec.org/presentations/>.


PLANNED DEPLOYMENT SCHEDULE

Already completed:

  2010-01-27: L starts to serve DURZ

  2010-02-10: A starts to serve DURZ

  2010-03-03: M, I start to serve DURZ

  2010-03-24: D, K, E start to serve DURZ

  2010-04-14: B, H, C, G, F start to serve DURZ

To come:

  2010-05-05: J starts to serve DURZ

  2010-07-01: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor

  (Please note that this schedule is tentative and subject to change
  based on testing results or other unforeseen factors.)

A more detailed DURZ transition timetable with maintenance windows
can be found in the document "DNSSEC Deployment for the Root Zone",
the most recent draft of which can be found on the project web page
at <http://www.root-dnssec.org/>.




More information about the NLNOG mailing list