Root zone DNSSEC deployment web site and technical status update

Matt Larson mlarson at
Tue Dec 15 16:49:49 CST 2009

The root zone DNSSEC deployment team is pleased to announce a new web
site with information about the project,
The site serves as a repository for documentation and information
about deploying DNSSEC in the root zone, including technical status
updates.  The first status update is available on the site and is
included below, as well.  Additional documentation will be posted as
it becomes available.  Important announcements and future status
updates will appear in the site's RSS feed,

The design team welcomes your feedback: you can reach the entire team
at rootsign at

On behalf of the root zone DNSSEC deployment team,

Matt Larson


Status Update, December, 2009

This is the first of a series of technical status updates intended to
inform a technical audience on the progress of deploying DNSSEC in the
root zone of the DNS.


Details of the project, including documentation published to date, can
be found at

We'd like to hear from you. If you have feedback for us, please send
it to rootsign at


This project involves the creation of a large volume of documentation,
individual components of which will be released as they have completed
internal review. The following documents are expected to be released
as drafts before the end of December 2009:

* Root Zone DNSSEC Deployment Plan
* Root Zone Trust Anchor Publication


Several root server operators have started testing a lightweight
packet capture tool designed to provide a full record of priming
queries received over the period covering DNSSEC deployment in the
root zone. We hope this data collection will be in full production on
all root servers before the end of December, providing baseline data
which will allow the reaction of the system as a whole to deployment
events to be observed.

On 2009-12-01, the first pre-production KSR exchange between ICANN and
VeriSign and the signing of the root zone within VeriSign's production
infrastructure commenced. The signing, validation, measurement and
monitoring infrastructure will now be subject to full internal


2009-12-01: KSR exchange, root zone signing begins, internal to
VeriSign and ICANN; generation of DURZ

Week of 2010-01-11: L starts to serve DURZ

Week of 2010-02-08: A starts to serve DURZ

Week of 2010-03-01: M, I start to serve DURZ

Week of 2010-03-22: D, K, E start to serve DURZ

Week of 2010-04-12: B, H, C, G, F start to serve DURZ

Week of 2010-05-03: J starts to serve DURZ

2010-07-01: Distribution of validatable, production, signed root zone;
publication of root zone trust anchor.

(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)

More information about the NANOG mailing list