[dns-operations] Signed root zone published, now what?

[Joe Abley]

On 2010-07-16, at 13:00, Chris Adams wrote:

> I read that there will be quarterly key-signing ceremonies; the results
> of those key-signings are what are released through RFC5011 updates,
> right?

Most key ceremonies will not include the generation of a new KSK. The principal work to do is to process the Key Signing Request (KSR) from VeriSign, and produce DNSKEY RRSets for the root zone that are signed with the KSK (together, these form the Signed Key Response, or SKR).

There is no maintenance required relating to KSR processing by the operators of validators.

If your validator supports RFC5011 automated trust anchor maintenance then there should also be no maintenance requried relating to scheduled KSK rollover.

Unscheduled/emergency KSK rollover will require operator intervention. We hope this will never happen, but if it is ever called for it will be Big News and Guidance Will Be Given.

> Is there a good "best practices" for implementing and managing DNSSEC
> for resolvers?  It seems much of what I found is targeted at
> authoritative servers (which I'll look at once .com is signed I guess).

I agree it would be great if such a document was to be written. Thanks also to the people who have already stepped in with tools, blog posts, etc.


Joe