[Nlnog] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Sat Jul 10 16:40:52 UTC 2010


Root Zone DNSSEC Deployment
Technical Status Update 2010-07-10

This is the tenth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.


RESOURCES

Details of the project, including documentation published to date,
can be found at <http://www.root-dnssec.org/>.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.


KSK CEREMONY 2

The second KSK ceremony for the root zone will take place in El
Segundo, CA, USA on Monday 2010-07-12. The ceremony is scheduled
to begin at 1300 local time (2000 UTC) and is expected to end by
1900 local time (0200 UTC).

Video from Ceremony 2 will be recorded for audit purposes, as with
Ceremony 1. Video and associated audit materials will be published
before the signed root enters full production on 2010-07-15. Details
will be circulated before that date.

ICANN will operate a separate camera whose video will not be retained
for audit purposes, but which will instead be streamed live in order
to provide remote observers an opportunity to watch the ceremony.
The live stream will be provided on a best-effort basis.

The live video stream will be available at:

  http://dns.icann.org/ksk/stream/
  

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to
production signed root zone will take place on 2010-07-15.

Trust anchor publication, according to draft-icann-dnssec-trust-anchor-00
will take place after the maintenance window closes, once a final
set of tests have been completed by ICANN and the results have been
found to be positive.


FTP ACCESS TO SIGNED ZONE FILES

Following the transition on 2010-07-15 the unsigned root and ARPA
zone files published at

  ftp://rs.internic.net/domain/
  ftp://ftp.internic.net/domain/

will be replaced by signed zone files. That is, the zone files
retrieved from both FTP servers will contain DNSSEC data, and will
hence faithfully represent the zones being served by root servers.


PLANNED DEPLOYMENT SCHEDULE

Already completed:

  2010-01-27: L starts to serve DURZ

  2010-02-10: A starts to serve DURZ

  2010-03-03: M, I start to serve DURZ

  2010-03-24: D, K, E start to serve DURZ

  2010-04-14: B, H, C, G, F start to serve DURZ

  2010-05-05: J starts to serve DURZ

  2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

  2010-07-12: Second Key Signing Key (KSK) Ceremony

  2010-07-15: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor

  (Please note that this schedule is tentative and subject to change
  based on testing results or other unforeseen factors.)




More information about the NLNOG mailing list