Root Zone DNSSEC Deployment Technical Status Update

Joe Abley joe.abley at icann.org
Wed May 5 21:23:03 UTC 2010


Root Zone DNSSEC Deployment
Technical Status Update 2010-05-05

This is the sixth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.


**  The final transition to a signed root zone took place today
**  on J-Root, between 1700--1900 UTC.
**
**  All root servers are now serving a signed root zone.
**
**  All root servers will now generate larger responses to DNS
**  queries that request DNSSEC information.
**
**  If you experience technical problems or need to contact
**  technical project staff, please send e-mail to rootsign at icann.org
**  or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred
**  if possible.
**
**  See below for more details.


RESOURCES

Details of the project, including documentation published to date,
can be found at <http://www.root-dnssec.org/>.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign at icann.org.


DEPLOYMENT STATUS

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

All of the thirteen root servers have now made the transition to
the to the DURZ.  No harmful effects have been identified.

The final root server to make the transition, J-Root, started serving
the DURZ in a maintenance window between 1700--1900 UTC on 2010-05-05.

Initial observations relating to this transition will be presented
and discussed at the DNS Working Group meeting at RIPE 60 in Prague
on 2010-05-06.


PLANNED DEPLOYMENT SCHEDULE

Already completed:

  2010-01-27: L starts to serve DURZ

  2010-02-10: A starts to serve DURZ

  2010-03-03: M, I start to serve DURZ

  2010-03-24: D, K, E start to serve DURZ

  2010-04-14: B, H, C, G, F start to serve DURZ

  2010-05-05: J starts to serve DURZ

To come:

  2010-07-01: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor

  (Please note that this schedule is tentative and subject to change
  based on testing results or other unforeseen factors.)





More information about the NANOG mailing list