[dns-operations] .com/.net DNSSEC operational message

Matt Larson mlarson at verisign.com
Wed Dec 8 21:00:48 UTC 2010


VeriSign is in the process of deploying DNSSEC in the .net and .com
zones.  This message contains operational information related to the
.net DNSSEC deployment that might be of interest to the Internet
operational community.

The .net DNSSEC deployment is underway.

On September 25, 2010, the .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net.

On October 29, 2010, a deliberately unvalidatable .net zone began to
be published.  (This zone was a signed version of the .net zone with
the key material deliberately obscured so that it could not be used
for validation.)

VeriSign recently began incrementally "unblinding" the .net zone: one
at a time, each authoritative server for .net was changed from serving
the unvalidatable .net zone to the signed .net zone with the official
keys unobscured.

As of approximately 2100 UTC on December 7, all authoritative servers
for .net were serving the signed .net zone with the actual, unobscured
production keys.

The final step in DNSSEC deployment in .net will be publishing its DS
record in the root zone, which is currently scheduled for December 9,
2010.


If you have any questions or comments, please send email to
info at verisign-grs.com or reply to this message.



More information about the dns-operations mailing list