«
»

Status Update, January, 2010

This is the second of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DOCUMENTATION

The following draft documents were recently published:

  • DNSSEC Deployment for the Root Zone
  • DNSSEC Trust Anchor Publication for the Root Zone

The following documents are expected to be released as drafts within the next few weeks:

  • DNSSEC Test Plan for the Root Zone
  • KSK Holder DNSSEC Facility Requirements

DEPLOYMENT STATUS

A second KSR exchange between ICANN and VeriSign took place on 2009-12-28. Signing, validation, measurement and monitoring infrastructure continues to be tested.

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Internal publication of the DURZ to root server operators began on 7 January 2010, to allow root server operators to do internal testing and to refine internal monitoring or other operational systems. Note that all root servers will continue to serve the unsigned root zone during this internal testing of the DURZ.

Full packet capture exercises are planned by root server operators on 2010-01-13 and 2010-01-19, with data being uploaded to OARC’s Day in the Life (DITL) infrastructure, in preparation for the full packet captures that will take place during L’s DURZ transition.

PLANNED DEPLOYMENT SCHEDULE

The recently-published deployment plan contains target maintenance windows for each root server’s transition to serve the DURZ. The date for the first such transition, on the L root server, has been deferred slightly to accommodate more extensive data capture and measurement testing by all root servers, and also to allow an NSD upgrade to be tested and deployed on L.

ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is better able to serve large DNS responses. See http://www.nlnetlabs.nl/projects/nsd/ for more details.

Week of 2010-01-25: L starts to serve DURZ

Week of 2010-02-08: A starts to serve DURZ

Week of 2010-03-01: M, I start to serve DURZ

Week of 2010-03-22: D, K, E start to serve DURZ

Week of 2010-04-12: B, H, C, G, F start to serve DURZ

Week of 2010-05-03: J starts to serve DURZ

2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)

This entry was posted on Thursday, January 14th, 2010 at 00:00 and is filed under Status. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

One Response to “Status Update, January, 2010”

  1. What are the effects of the L root server now publishing DURZ? Drija Says:
    November 18th, 2010 at 04:44

    [...] curious what the actual effects of the L root server publishing DURZ today will be. On the nanog mailing list, someone said it’s important to evaluate the systemic [...]