[dns-operations] Operational Note -- DNSSEC for DE

Peter Koch pk at DENIC.DE
Tue May 24 07:55:01 UTC 2011

Dear list,

this is to inform the wider operator community that DENIC has started the
deployment of a deliberately unvalidatable DE zone (DUdeZ) end of last
week. Following the example of the root zone DNSSEC deployment team and
other precedents, we have signed the DE zone with operational KSK and ZSK
but have replaced those in the zone apex with ones that bear the correct
key ID but otherwise will not validate.

The rollout is going to continue throughout this week until all DE servers
will serve the signed but still unvalidatable zone. The scheduled date for
disclosing the DNSKEY RRSet is Tuesday, 31 May.

We would, however, recommend against using the then visible KSK as a trust
anchor. The DE DS RR will be submitted to IANA for publication in the DNS
root zone early June and should be available after the usual processing
time. DENIC does not plan to publish KSK or TA information over a second
channel and any manual configuration might lead to validation failures
should we have to change the KSK in the future.

Status updates can be found at <http://www.denic.de/en/domains/dnssec.html>.

Best regards,
   Peter Koch, DENIC eG

More information about the dns-operations mailing list