Root DNSSEC

This is the twelfth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone took place on 2010-07-15 at 2050 UTC. The first full production signed root zone had SOA serial 2010071501. There have been no reported harmful effects. The root zone trust anchor can be found at https://data.iana.org/root-anchors/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

KSK CEREMONY 2 COMPLETE

The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.

The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.

Audit materials relating to both the first and second ceremonies will be published today at .

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-12: Second Key Signing Key (KSK) Ceremony

To come:

• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the tenth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

KSK CEREMONY 2

The second KSK ceremony for the root zone will take place in El Segundo, CA, USA on Monday 2010-07-12. The ceremony is scheduled to begin at 1300 local time (2000 UTC) and is expected to end by 1900 local time (0200 UTC).

Video from Ceremony 2 will be recorded for audit purposes, as with Ceremony 1. Video and associated audit materials will be published before the signed root enters full production on 2010-07-15. Details will be circulated before that date.

ICANN will operate a separate camera whose video will not be retained for audit purposes, but which will instead be streamed live in order to provide remote observers an opportunity to watch the ceremony. The live stream will be provided on a best-effort basis.

The live video stream will be available at http://dns.icann.org/ksk/stream/.

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone will take place on 2010-07-15.

Trust anchor publication, according to draft-icann-dnssec-trust-anchor-00 will take place after the maintenance window closes, once a final set of tests have been completed by ICANN and the results have been found to be positive.

FTP ACCESS TO SIGNED ZONE FILES

Following the transition on 2010-07-15 the unsigned root and ARPA zone files published at

ftp://rs.internic.net/domain/
ftp://ftp.internic.net/domain/

will be replaced by signed zone files. That is, the zone files retrieved from both FTP servers will contain DNSSEC data, and will hence faithfully represent the zones being served by root servers.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the ninth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.

RESOURCES

Details of the project, including documentation published to date,
can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please
send it to rootsign@icann.org.

KSK CEREMONY 1 COMPLETE

The first KSK ceremony for the root zone was completed this week
in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin.

The first production KSK has now been generated. This is the key
that is scheduled to be put into service on 2010-07-15.

The first production Key Signing Request (KSR) generated by VeriSign
has now been processed by ICANN using the root zone KSK, and the
resulting Signed Key Response (KSR) has been accepted by VeriSign.
This SKR contains signatures for Q3 2010, for use between 2010-07-01
and 2010-09-30.

Audit materials relating to the first ceremony will be published
as soon as is practical, and in particular before 2010-07-15.

The KSK and SKR generated during this ceremony will not be approved
for production until the KSK key pair has been successfully transported
to ICANN’s west-coast ceremony facility in El Segundo, CA, USA, and
placed in secure storage.

KSK CEREMONY 2 SCHEDULED

The second KSK ceremony for the root zone is scheduled to take place
in El Segundo, CA, USA on 2010-07-12. Replication of key materials
onto west-coast HSMs, enrolment of west-coast crypto officers and
processing of the Q4 2010 KSR (for production use between 2010-10-01
and 2010-12-31) will take place during this ceremony.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the eigth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

PUBLIC NOTICE

The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone.

http://www.ntia.doc.gov/frnotices/2010/FR_DNSSEC_Notice_06092010.pdf

The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed.

http://www.ntia.doc.gov/reports/2010/DNSSEC_05282010.pdf

The Public Notice includes a public review period. Comments may be submitted by postal mail, fax or e-mail before 2010-06-21. Instructions for the submission of comments are included in the Public Notice.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the seventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

CHANGE IN DEPLOYMENT SCHEDULE

The date for the publication of the root zone trust anchor and the distribution of a validatable, signed root zone originally planned for 2010-07-01 has been changed.

This final stage of root DNSSEC deployment is now scheduled to take place on 2010-07-15.

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.

Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.

This change has been reflected in the deployment plan and other documentation, and updated documents will be published at <https://www.co.tt/files/dnssecroot/>.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

The final transition to a signed root zone took place today on J-Root, between 1700–1900 UTC.

All root servers are now serving a signed root zone.

All root servers will now generate larger responses to DNS queries that request DNSSEC information.

If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.

See below for more details.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DEPLOYMENT STATUS

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

All of the thirteen root servers have now made the transition to the to the DURZ.  No harmful effects have been identified.

Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

This is the fifth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

The final transition to the DURZ will take place on J-Root, on 2010-05-05 between 1700–1900 UTC.

After that maintenance all root servers will be serving the DURZ, and will generate larger responses to DNS queries that request DNSSEC information.

If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.

See below for more details.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DEPLOYMENT STATUS

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have already made the transition to the DURZ. No harmful effects have been identified.

The final root server to make the transition, J-Root, will start serving the DURZ in a maintenance window scheduled for 1700–1900 UTC on 2010-05-05.

Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ

To come:

• 2010-05-05: J starts to serve DURZ
• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.

This is the fourth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DOCUMENTATION

The following draft document was recently published:

• Resolver Testing with a DURZ
• TCR – Proposed Approach to Root Key Management

DEPLOYMENT STATUS

KSR exchanges continue between production platforms at VeriSign and ICANN.

Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have made the transition to the DURZ. No harmful effects have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at the IETF meeting in Anaheim, CA, USA and can be found with other presentation materials at https://www.co.tt/files/dnssecroot/documentation/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ

To come:

• 2010-05-05: J starts to serve DURZ
• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)

A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.

This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DOCUMENTATION

The following draft document was recently published:

• Root Zone DNSSEC KSK Ceremonies Guide

DEPLOYMENT STATUS

KSR exchanges continue between development platforms at VeriSign and ICANN. Test exchanges between production servers, exercising regular operational staff and subject to production monitoring and availability measurements is scheduled to begin on 2010-03-01.

Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

L-Root made the transition to the DURZ on 2010-01-27, and A-Root did the same on 2010-02-10. No harmful effects of either transition have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at NANOG 48 in Austin, Texas, USA and can be found with other presentation materials at https://www.co.tt/files/dnssecroot/presentations/.

Those who are tracking the impact of the DURZ transition on root servers should note that the maintenance window for the M-Root DURZ transition has changed to 2010-03-03 0600–0800 UTC, two hours later than was originally advised. This change has been reflected in the deployment plan, which can be found with other project documentation at https://www.co.tt/files/dnssecroot/documentation/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ

To come:

• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J starts to serve DURZ
• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)

A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.