«
»

Status Update, April 2010

This is the fourth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DOCUMENTATION

The following draft document was recently published:

  • Resolver Testing with a DURZ
  • TCR – Proposed Approach to Root Key Management

DEPLOYMENT STATUS

KSR exchanges continue between production platforms at VeriSign and ICANN.

Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have made the transition to the DURZ. No harmful effects have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at the IETF meeting in Anaheim, CA, USA and can be found with other presentation materials at https://www.co.tt/files/dnssecroot/documentation/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

  • 2010-01-27: L starts to serve DURZ
  • 2010-02-10: A starts to serve DURZ
  • 2010-03-03: M, I start to serve DURZ
  • 2010-03-24: D, K, E start to serve DURZ
  • 2010-04-14: B, H, C, G, F start to serve DURZ

    To come:

    • 2010-05-05: J starts to serve DURZ
    • 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

    (Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)

    A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.

    This entry was posted on Wednesday, April 14th, 2010 at 16:22 and is filed under Status. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

    5 Responses to “Status Update, April 2010”

    1. Tweets that mention Root DNSSEC » Blog Archive » Status Update, April 2010 -- Topsy.com Says:
      April 15th, 2010 at 01:01

      [...] This post was mentioned on Twitter by JinnK, CoreMundi. CoreMundi said: [DNS] Status Update, April 2010: This is the fourth of a series of technical status updates intended to inform a t… http://bit.ly/9O4kLG [...]

    2. Operational Challenges When Implementing DNSSEC | Host Rage Says:
      April 20th, 2010 at 17:08

      [...] Root DNSSEC » Blog Archive » Status Update, April 2010 [...]

    3. DNSSEC – the day the internet stood still | Fast 2 Learn Cards Says:
      April 21st, 2010 at 03:33

      [...] Root DNSSEC » Blog Archive » Status Update, April 2010 [...]

    4. Any CISCO experts here? Got a few questions…? | Web Traffic Siphon Says:
      May 3rd, 2010 at 03:38

      [...] Root DNSSEC » Blog Archive » Status Update, April 2010 [...]

    5. [7.904] DNS Proxy Fails DNSSEC Packet Size Test - Astaro User Bulletin Board Says:
      May 3rd, 2010 at 23:16

      [...] Your resolver was only able to get packets SMALLER than 512 bytes. Please see Update status Root DNSSEC Blog Archive Status Update, April 2010 On May 5, the world's top domain authorities (led by ICANN, the US Government and Verisign) will [...]