[dns-operations] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Fri Jun 18 19:00:49 UTC 2010

Root Zone DNSSEC Deployment
Technical Status Update 2010-06-18

This is the ninth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.


Details of the project, including documentation published to date,
can be found at <http://www.root-dnssec.org/>.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.


The first KSK ceremony for the root zone was completed this week
in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin.

The first production KSK has now been generated. This is the key
that is scheduled to be put into service on 2010-07-15.

The first production Key Signing Request (KSR) generated by VeriSign
has now been processed by ICANN using the root zone KSK, and the
resulting Signed Key Response (KSR) has been accepted by VeriSign.
This SKR contains signatures for Q3 2010, for use between 2010-07-01
and 2010-09-30.

Audit materials relating to the first ceremony will be published
as soon as is practical, and in particular before 2010-07-15.

The KSK and SKR generated during this ceremony will not be approved
for production until the KSK key pair has been successfully transported
to ICANN's west-coast ceremony facility in El Segundo, CA, USA, and
placed in secure storage.


The second KSK ceremony for the root zone is scheduled to take place
in El Segundo, CA, USA on 2010-07-12. Replication of key materials
onto west-coast HSMs, enrolment of west-coast crypto officers and
processing of the Q4 2010 KSR (for production use between 2010-10-01
and 2010-12-31) will take place during this ceremony.


Already completed:

 2010-01-27: L starts to serve DURZ

 2010-02-10: A starts to serve DURZ

 2010-03-03: M, I start to serve DURZ

 2010-03-24: D, K, E start to serve DURZ

 2010-04-14: B, H, C, G, F start to serve DURZ

 2010-05-05: J starts to serve DURZ

 2010-06-16: First Key Signing Key (KSK) Ceremony

To come:

 2010-07-12: Second Key Signing Key (KSK) Ceremony

 2010-07-15: Distribution of validatable, production, signed root
   zone; publication of root zone trust anchor

 (Please note that this schedule is tentative and subject to change
 based on testing results or other unforeseen factors.)

More information about the dns-operations mailing list