On 2010-07-15, the DNS root zone completely transitioned to its DNSSEC-signed state, signalling the end of the progressive launch program. As we now reach the six month anniversary of reaching full production, an increasing number of top-level domain operators have taken advantage of the signed root zone by listing their delegation signer records. These records allow their zones to validate using the chain-of-trust from the single root trust anchor key.

As with all root zone changes, ICANN, Verisign and the US Department of Commerce have worked together to accept listing requests from top-level domain managers, evaluate them to ensure they meet technical and operational requirements, and then list them in the root zone.

Experience

During the first half a year of experience with a signed root zone, we have been actively monitoring and gaining experience from TLD operators on how they have rolled out DNSSEC. While the majority of requests have been performed smoothly, we have observed in some cases we have received DS listing requests that pass our validation criteria, yet have issues with their name servers that can impact successful deployment of DNSSEC for the TLD concerned.

Specifically, in some cases, the DNSKEY is correctly listed in the zone, and the zone is signed, however the authoritative name server software is not deployed and configured correctly to return the correct RRSIG records when the DO-flag is set. The DO-flag is used to signal to a name server that the querier understands and wants a DNSSEC-signed response.

Such situations indicate a misconfiguration or problem within the top-level domain, whereby if the DS record was to be listed, would likely result in DNSSEC validation failures within that top-level domain for some users.

Proposed Updated to the DS Record Evaluation Procedure

In order to enhance stability of the global domain name system by identifying this issue, we propose to alter the technical requirements for listing delegation signer records in the DNS root zone.

1. The current test, validating that for each DS record that is proposed to be listed in the DNS root zone, that each authoritative name server serves a matching DNSKEY, will be preserved.
2. A new validation will be performed, whereby the DO-flag is set on the query for the DNSKEYs from each authoritative name service. We will check that (a) RRSIG records are returned, and that (b) the RRSIGs validate using one of the returned DNSKEY records that has the SEP-bit set.

In effect, this new test will not just check that the DS record is correct, but that basic DNSSEC functionality is correctly enabled in each of the authoritative servers.

As today, in the case where these validations fail, the TLD operator will be consulted by ICANN. Should the TLD operator still wish to proceed by understanding and accepting any risks associated with listing DS records that do not pass these tests, the root zone management partners will continue to process the request.

Proposed Implementation

ICANN proposes to introduce this process into its operational workflow in March 2011. From this time, ICANN will perform the new validation and notify top-level domain operators during the technical check phase of root zone processing. VeriSign will perform the same check just prior to implementation in the root zone.

We welcome your comments and feedback on this to rootsign@icann.org.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone took place on 2010-07-15 at 2050 UTC. The first full production signed root zone had SOA serial 2010071501. There have been no reported harmful effects. The root zone trust anchor can be found at https://data.iana.org/root-anchors/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

KSK CEREMONY 2 COMPLETE

The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.

The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.

Audit materials relating to both the first and second ceremonies will be published today at .

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-12: Second Key Signing Key (KSK) Ceremony

To come:

• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

KSK CEREMONY 2

The second KSK ceremony for the root zone will take place in El Segundo, CA, USA on Monday 2010-07-12. The ceremony is scheduled to begin at 1300 local time (2000 UTC) and is expected to end by 1900 local time (0200 UTC).

Video from Ceremony 2 will be recorded for audit purposes, as with Ceremony 1. Video and associated audit materials will be published before the signed root enters full production on 2010-07-15. Details will be circulated before that date.

ICANN will operate a separate camera whose video will not be retained for audit purposes, but which will instead be streamed live in order to provide remote observers an opportunity to watch the ceremony. The live stream will be provided on a best-effort basis.

The live video stream will be available at http://dns.icann.org/ksk/stream/.

FULL PRODUCTION SIGNED ROOT ZONE

The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone will take place on 2010-07-15.

Trust anchor publication, according to draft-icann-dnssec-trust-anchor-00 will take place after the maintenance window closes, once a final set of tests have been completed by ICANN and the results have been found to be positive.

FTP ACCESS TO SIGNED ZONE FILES

Following the transition on 2010-07-15 the unsigned root and ARPA zone files published at

ftp://rs.internic.net/domain/
ftp://ftp.internic.net/domain/

will be replaced by signed zone files. That is, the zone files retrieved from both FTP servers will contain DNSSEC data, and will hence faithfully represent the zones being served by root servers.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

RESOURCES

Details of the project, including documentation published to date,
can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please
send it to rootsign@icann.org.

KSK CEREMONY 1 COMPLETE

The first KSK ceremony for the root zone was completed this week
in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin.

The first production KSK has now been generated. This is the key
that is scheduled to be put into service on 2010-07-15.

The first production Key Signing Request (KSR) generated by VeriSign
has now been processed by ICANN using the root zone KSK, and the
resulting Signed Key Response (KSR) has been accepted by VeriSign.
This SKR contains signatures for Q3 2010, for use between 2010-07-01
and 2010-09-30.

Audit materials relating to the first ceremony will be published
as soon as is practical, and in particular before 2010-07-15.

The KSK and SKR generated during this ceremony will not be approved
for production until the KSK key pair has been successfully transported
to ICANN’s west-coast ceremony facility in El Segundo, CA, USA, and
placed in secure storage.

KSK CEREMONY 2 SCHEDULED

The second KSK ceremony for the root zone is scheduled to take place
in El Segundo, CA, USA on 2010-07-12. Replication of key materials
onto west-coast HSMs, enrolment of west-coast crypto officers and
processing of the Q4 2010 KSR (for production use between 2010-10-01
and 2010-12-31) will take place during this ceremony.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ
• 2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

• 2010-07-12: Second Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

PUBLIC NOTICE

The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone.

http://www.ntia.doc.gov/frnotices/2010/FR_DNSSEC_Notice_06092010.pdf

The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed.

http://www.ntia.doc.gov/reports/2010/DNSSEC_05282010.pdf

The Public Notice includes a public review period. Comments may be submitted by postal mail, fax or e-mail before 2010-06-21. Instructions for the submission of comments are included in the Public Notice.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

CHANGE IN DEPLOYMENT SCHEDULE

The date for the publication of the root zone trust anchor and the distribution of a validatable, signed root zone originally planned for 2010-07-01 has been changed.

This final stage of root DNSSEC deployment is now scheduled to take place on 2010-07-15.

The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.

Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.

This change has been reflected in the deployment plan and other documentation, and updated documents will be published at <https://www.co.tt/files/dnssecroot/>.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-06-16: First Key Signing Key (KSK) Ceremony
• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

The final transition to a signed root zone took place today on J-Root, between 1700–1900 UTC.

All root servers are now serving a signed root zone.

All root servers will now generate larger responses to DNS queries that request DNSSEC information.

If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.

See below for more details.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DEPLOYMENT STATUS

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

All of the thirteen root servers have now made the transition to the to the DURZ.  No harmful effects have been identified.

Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ
• 2010-05-05: J start to serve DURZ

To come:

• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

The final transition to the DURZ will take place on J-Root, on 2010-05-05 between 1700–1900 UTC.

After that maintenance all root servers will be serving the DURZ, and will generate larger responses to DNS queries that request DNSSEC information.

If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.

See below for more details.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DEPLOYMENT STATUS

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have already made the transition to the DURZ. No harmful effects have been identified.

The final root server to make the transition, J-Root, will start serving the DURZ in a maintenance window scheduled for 1700–1900 UTC on 2010-05-05.

Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ

To come:

• 2010-05-05: J starts to serve DURZ
• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)

A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.

RESOURCES

Details of the project, including documentation published to date, can be found at https://www.co.tt/files/dnssecroot/.

We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.

DOCUMENTATION

The following draft document was recently published:

• Resolver Testing with a DURZ
• TCR – Proposed Approach to Root Key Management

DEPLOYMENT STATUS

KSR exchanges continue between production platforms at VeriSign and ICANN.

Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.

The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.

Twelve of the thirteen root servers have made the transition to the DURZ. No harmful effects have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at the IETF meeting in Anaheim, CA, USA and can be found with other presentation materials at https://www.co.tt/files/dnssecroot/documentation/.

PLANNED DEPLOYMENT SCHEDULE

Already completed:

• 2010-01-27: L starts to serve DURZ
• 2010-02-10: A starts to serve DURZ
• 2010-03-03: M, I start to serve DURZ
• 2010-03-24: D, K, E start to serve DURZ
• 2010-04-14: B, H, C, G, F start to serve DURZ

To come:

• 2010-05-05: J starts to serve DURZ
• 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)

A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at https://www.co.tt/files/dnssecroot/.