[dns-operations] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley jabley at hopcount.ca
Fri Feb 26 17:02:34 UTC 2010 

This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. Apologies if you receive multiple copies of this message.


RESOURCES

Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.


DOCUMENTATION

The following draft document was recently published:

- Root Zone DNSSEC KSK Ceremonies Guide


DEPLOYMENT STATUS

KSR exchanges continue between development platforms at VeriSign
and ICANN. Test exchanges between production servers, exercising
regular operational staff and subject to production monitoring and
availability measurements is scheduled to begin on 2010-03-01.

Build-out of KSK Key Ceremony facilities at ICANN continues, and
both facilities (east- and west-coast USA) are expected to be ready
on schedule.

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately-Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally-signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

L-Root made the transition to the DURZ on 2010-01-27, and A-Root
did the same on 2010-02-10. No harmful effects of either transition
have been identified. Some early analysis of packet captures from
many root servers surrounding each event was recently presented at
NANOG 48 in Austin, Texas, USA and can be found with other presentation
materials at <http://www.root-dnssec.org/presentations/>.

Those who are tracking the impact of the DURZ transition on root
servers should note that the maintenance window for the M-Root DURZ
transition has changed to 2010-03-03 0600--0800 UTC, two hours later
than was originally advised. This change has been reflected in the
deployment plan, which can be found with other project documentation
at <http://www.root-dnssec.org/documentation/>.


PLANNED DEPLOYMENT SCHEDULE

Already completed:

  2010-01-27: L starts to serve DURZ

  2010-02-10: A starts to serve DURZ

To come:

  2010-03-03: M, I start to serve DURZ

  2010-03-24: D, K, E start to serve DURZ

  2010-04-14: B, H, C, G, F start to serve DURZ

  2010-05-05: J starts to serve DURZ

  2010-07-01: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor

  (Please note that this schedule is tentative and subject to change
  based on testing results or other unforseen factors.)

A more detailed DURZ transition timetable with maintenance windows
can be found in the document "DNSSEC Deployment for the Root Zone",
the most recent draft of which can be found on the project web page
at <http://www.root-dnssec.org/>.

More information about the dns-operations mailing list