Status Update, February 2010
This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DOCUMENTATION
The following draft document was recently published:
- Root Zone DNSSEC KSK Ceremonies Guide
DEPLOYMENT STATUS
KSR exchanges continue between development platforms at VeriSign and ICANN. Test exchanges between production servers, exercising regular operational staff and subject to production monitoring and availability measurements is scheduled to begin on 2010-03-01.
Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
L-Root made the transition to the DURZ on 2010-01-27, and A-Root did the same on 2010-02-10. No harmful effects of either transition have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at NANOG 48 in Austin, Texas, USA and can be found with other presentation materials at https://www.co.tt/files/dnssecroot/presentations/.
Those who are tracking the impact of the DURZ transition on root servers should note that the maintenance window for the M-Root DURZ transition has changed to 2010-03-03 0600–0800 UTC, two hours later than was originally advised. This change has been reflected in the deployment plan, which can be found with other project documentation at https://www.co.tt/files/dnssecroot/documentation/.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
To come:
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J starts to serve DURZ
- 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)
A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.