[dns-operations] Root Zone DNSSEC Deployment Technical Status Update
jabley at hopcount.ca
Thu Jan 14 16:46:20 UTC 2010
This is the second of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS. Apologies if you receive multiple copies of this message.
Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.
The following draft documents were recently published:
- DNSSEC Deployment for the Root Zone
- DNSSEC Trust Anchor Publication for the Root Zone
The following documents are expected to be released as drafts within
the next few weeks:
- DNSSEC Test Plan for the Root Zone
- KSK Holder DNSSEC Facility Requirements
A second KSR exchange between ICANN and VeriSign took place on
2009-12-28. Signing, validation, measurement and monitoring
infrastructure continues to be tested.
The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately-Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally-signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.
Internal publication of the DURZ to root server operators began on
7 January 2010, to allow root server operators to do internal testing
and to refine internal monitoring or other operational systems.
Note that all root servers will continue to serve the unsigned root
zone during this internal testing of the DURZ.
Full packet capture exercises are planned by root server operators
on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's
Day in the Life (DITL) infrastructure, in preparation for the full
packet captures that will take place during L's DURZ transition.
PLANNED DEPLOYMENT SCHEDULE
The recently-published deployment plan contains target maintenance
windows for each root server's transition to serve the DURZ. The
date for the first such transition, on the L root server, has been
deferred slightly to accommodate more extensive data capture and
measurement testing by all root servers, and also to allow an NSD
upgrade to be tested and deployed on L.
ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is
better able to serve large DNS responses. See
<http://www.nlnetlabs.nl/projects/nsd/> for more details.
Week of 2010-01-25: L starts to serve DURZ
Week of 2010-02-08: A starts to serve DURZ
Week of 2010-03-01: M, I start to serve DURZ
Week of 2010-03-22: D, K, E start to serve DURZ
Week of 2010-04-12: B, H, C, G, F start to serve DURZ
Week of 2010-05-03: J starts to serve DURZ
2010-07-01: Distribution of validatable, production, signed root
zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
based on testing results or other unforseen factors.)
More information about the dns-operations