[dns-operations] .com/.net DNSSEC operational message

Matt Larson mlarson at verisign.com
Fri Oct 29 14:46:29 UTC 2010


Over the next several months, VeriSign will deploy DNSSEC in the .net
and .com zones.  This message contains operational information related
to the deployment that might be of interest to the Internet
operational community.

The .net DNSSEC deployment consists of the following major milestones:

September 25, 2010: The .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net.  These DS records will not be published in the .net zone until
the .net zone is actually signed.  Each registrar will implement
support for DNSSEC on its own schedule, and some registrars might be
accepting DS records for .net domains now.

October 29, 2010: A deliberately unvalidatable .net zone will be
published.  Following the successful use of this technique with the
root DNSSEC deployment, VeriSign will publish a signed .net zone with
the key material deliberately obscured so that it cannot be used for
validation.  Any DS records for .net domains that have been submitted
by registrars will be published in the deliberately unvalidatable
zone.

December 9, 2010: The .net key material will be unobscured and the
.net zone will be usable for DNSSEC validation.  DS records for .net
will appear in the root zone shortly thereafter.


The .com DNSSEC deployment will occur in the first quarter of 2011 and
will consist of the following major milestones:

February, 2011: The .com registry system will be upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.com.  These DS records will not be published in the .com zone until
the .com zone is actually signed.

March, 2011: A deliberately unvalidatable .com zone will be published.
Any DS records for .com that have been submitted by registrars will be
published in the deliberately unvalidatable zone.

March, 2011: The .com key material will be unobscured and the .com
zone will be usable for DNSSEC validation.  DS records for .com will
appear in the root zone shortly thereafter.


If you have any questions or comments, please send email to
info at verisign-grs.com or reply to this message.



More information about the dns-operations mailing list