Launch Status Updates
High Level Timeline
- December 1, 2009: Root zone signed for internal use by VeriSign and ICANN. ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
- January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
- Early May, 2010: All root servers are now serving the DURZ. The effects of the larger responses from the signed root, if any, would now be encountered.
- May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
- June 16, 2010: ICANN holds first KSK ceremony event in Culpeper, VA, USA
- July 12, 2010: ICANN holds second KSK ceremony event in El Segundo, CA, USA
- July 15, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.
December 2009
This is the first of a series of technical status updates intended to inform a technical audience on the progress of deploying DNSSEC in the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DOCUMENTATION
This project involves the creation of a large volume of documentation, individual components of which will be released as they have completed internal review. The following documents are expected to be released as drafts in early 2010:
- Root Zone DNSSEC Deployment Plan
- Root Zone Trust Anchor Publication
DEPLOYMENT STATUS
Several root server operators have started testing a lightweight packet capture tool designed to provide a full record of priming queries received over the period covering DNSSEC deployment in the root zone. We hope this data collection will be in full production on all root servers before the end of December, providing baseline data which will allow the reaction of the system as a whole to deployment events to be observed.
On 2009-12-01 the first pre-production KSR exchange between ICANN and VeriSign and the signing of the root zone within VeriSign’s production infrastructure commenced. The signing, validation, measurement and monitoring infrastructure will now be subject to full internal testing.
PLANNED DEPLOYMENT SCHEDULE
2009-12-01: KSR exchange, root zone signing begins, internal to VeriSign and ICANN; generation of DURZ
Week of 2010-01-11: L starts to serve DURZ
Week of 2010-02-08: A starts to serve DURZ
Week of 2010-03-01: M, I start to serve DURZ
Week of 2010-03-22: D, K, E start to serve DURZ
Week of 2010-04-12: B, H, C, G, F start to serve DURZ
Week of 2010-05-03: J starts to serve DURZ
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor.
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
January 2010
This is the second of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DOCUMENTATION
The following draft documents were recently published:
- DNSSEC Deployment for the Root Zone
- DNSSEC Trust Anchor Publication for the Root Zone
The following documents are expected to be released as drafts within the next few weeks:
- DNSSEC Test Plan for the Root Zone
- KSK Holder DNSSEC Facility Requirements
DEPLOYMENT STATUS
A second KSR exchange between ICANN and VeriSign took place on 2009-12-28. Signing, validation, measurement and monitoring infrastructure continues to be tested.
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
Internal publication of the DURZ to root server operators began on 7 January 2010, to allow root server operators to do internal testing and to refine internal monitoring or other operational systems. Note that all root servers will continue to serve the unsigned root zone during this internal testing of the DURZ.
Full packet capture exercises are planned by root server operators on 2010-01-13 and 2010-01-19, with data being uploaded to OARC’s Day in the Life (DITL) infrastructure, in preparation for the full packet captures that will take place during L’s DURZ transition.
PLANNED DEPLOYMENT SCHEDULE
The recently-published deployment plan contains target maintenance windows for each root server’s transition to serve the DURZ. The date for the first such transition, on the L root server, has been deferred slightly to accommodate more extensive data capture and measurement testing by all root servers, and also to allow an NSD upgrade to be tested and deployed on L.
ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is better able to serve large DNS responses. See http://www.nlnetlabs.nl/projects/nsd/ for more details.
Week of 2010-01-25: L starts to serve DURZ
Week of 2010-02-08: A starts to serve DURZ
Week of 2010-03-01: M, I start to serve DURZ
Week of 2010-03-22: D, K, E start to serve DURZ
Week of 2010-04-12: B, H, C, G, F start to serve DURZ
Week of 2010-05-03: J starts to serve DURZ
2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)
February 2010
This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DOCUMENTATION
The following draft document was recently published:
- Root Zone DNSSEC KSK Ceremonies Guide
DEPLOYMENT STATUS
KSR exchanges continue between development platforms at VeriSign and ICANN. Test exchanges between production servers, exercising regular operational staff and subject to production monitoring and availability measurements is scheduled to begin on 2010-03-01.
Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
L-Root made the transition to the DURZ on 2010-01-27, and A-Root did the same on 2010-02-10. No harmful effects of either transition have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at NANOG 48 in Austin, Texas, USA and can be found with other presentation materials at http://www.root-dnssec.org/presentations/.
Those who are tracking the impact of the DURZ transition on root servers should note that the maintenance window for the M-Root DURZ transition has changed to 2010-03-03 0600–0800 UTC, two hours later than was originally advised. This change has been reflected in the deployment plan, which can be found with other project documentation at http://www.root-dnssec.org/documentation/.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
To come:
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J starts to serve DURZ
- 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)
A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at http://www.root-dnssec.org/.
April 2010
This is the fourth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DOCUMENTATION
The following draft document was recently published:
- Resolver Testing with a DURZ
- TCR – Proposed Approach to Root Key Management
DEPLOYMENT STATUS
KSR exchanges continue between production platforms at VeriSign and ICANN.
Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule.
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
Twelve of the thirteen root servers have made the transition to the DURZ. No harmful effects have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at the IETF meeting in Anaheim, CA, USA and can be found with other presentation materials at http://www.root-dnssec.org/documentation/.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
To come:
- 2010-05-05: J starts to serve DURZ
- 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.)
A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at http://www.root-dnssec.org/.
3 May 2010
This is the fifth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
The final transition to the DURZ will take place on J-Root, on 2010-05-05 between 1700–1900 UTC.
After that maintenance all root servers will be serving the DURZ, and will generate larger responses to DNS queries that request DNSSEC information.
If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.
See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
Twelve of the thirteen root servers have already made the transition to the DURZ. No harmful effects have been identified.
The final root server to make the transition, J-Root, will start serving the DURZ in a maintenance window scheduled for 1700–1900 UTC on 2010-05-05.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
To come:
- 2010-05-05: J starts to serve DURZ
- 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
A more detailed DURZ transition timetable with maintenance windows can be found in the document “DNSSEC Deployment for the Root Zone”, the most recent draft of which can be found on the project web page at http://www.root-dnssec.org/.
5 May 2010
This is the sixth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
The final transition to a signed root zone took place today on J-Root, between 1700–1900 UTC.
All root servers are now serving a signed root zone.
All root servers will now generate larger responses to DNS queries that request DNSSEC information.
If you experience technical problems or need to contact technical project staff, please send e-mail to rootsign@icann.org or call the ICANN DNS NOC at +1 310 301 5817, e-mail preferred if possible.
See below for more details.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
DEPLOYMENT STATUS
The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately Unvalidatable Root Zone (DURZ), and subsequently by a conventionally signed root zone. Discussion of the approach can be found in the document “DNSSEC Deployment for the Root Zone”, as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings.
All of the thirteen root servers have now made the transition to the to the DURZ. No harmful effects have been identified.
Initial observations relating to this transition will be presented and discussed at the DNS Working Group meeting at the RIPE meeting in Prague on 2010-05-06.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
To come:
- 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
18 May 2010
This is the seventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
CHANGE IN DEPLOYMENT SCHEDULE
The date for the publication of the root zone trust anchor and the distribution of a validatable, signed root zone originally planned for 2010-07-01 has been changed.
This final stage of root DNSSEC deployment is now scheduled to take place on 2010-07-15.
The schedule change is intended to allow ICANN and VeriSign an additional two weeks for further analysis of the DURZ rollout, to finalise testing and best ensure the secure, stable and resilient implementation of the root DNSSEC production processes and systems.
Prior to 2010-07-15 the U.S. Department of Commerce (DoC) will issue a public notice announcing the publication of the joint ICANN-VeriSign testing and evaluation report as well as the intent to proceed with the final stage of DNSSEC deployment. As part of this notice the DoC will include a public review and comment period prior to taking any action.
This change has been reflected in the deployment plan and other documentation, and updated documents will be published at <http://www.root-dnssec.org/>.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
To come:
- 2010-06-16: First Key Signing Key (KSK) Ceremony
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
9 June 2010
This is the eigth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
PUBLIC NOTICE
The US Department of Commerce National Telecommunications and Information Administration (NTIA) has issued a Public Notice regarding the deployment of DNSSEC in the root zone.
http://www.ntia.doc.gov/frnotices/2010/FR_DNSSEC_Notice_06092010.pdf
The Public Notice makes reference to the final report submitted to NTIA by ICANN and VeriSign which contains a summary of the project work to date together with a recommendation that full deployment should proceed.
http://www.ntia.doc.gov/reports/2010/DNSSEC_05282010.pdf
The Public Notice includes a public review period. Comments may be submitted by postal mail, fax or e-mail before 2010-06-21. Instructions for the submission of comments are included in the Public Notice.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
To come:
- 2010-06-16: First Key Signing Key (KSK) Ceremony
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
18 June 2010
This is the ninth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 1 COMPLETE
The first KSK ceremony for the root zone was completed this week in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin.
The first production KSK has now been generated. This is the key that is scheduled to be put into service on 2010-07-15.
The first production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK, and the resulting Signed Key Response (KSR) has been accepted by VeriSign. This SKR contains signatures for Q3 2010, for use between 2010-07-01 and 2010-09-30.
Audit materials relating to the first ceremony will be published as soon as is practical, and in particular before 2010-07-15.
The KSK and SKR generated during this ceremony will not be approved for production until the KSK key pair has been successfully transported to ICANN’s west-coast ceremony facility in El Segundo, CA, USA, and placed in secure storage.
KSK CEREMONY 2 SCHEDULED
The second KSK ceremony for the root zone is scheduled to take place in El Segundo, CA, USA on 2010-07-12. Replication of key materials onto west-coast HSMs, enrolment of west-coast crypto officers and processing of the Q4 2010 KSR (for production use between 2010-10-01 and 2010-12-31) will take place during this ceremony.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
- 2010-06-16: First Key Signing Key (KSK) Ceremony
To come:
- 2010-07-12: Second Key Signing Key (KSK) Ceremony
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
10 July 2010
This is the tenth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2
The second KSK ceremony for the root zone will take place in El Segundo, CA, USA on Monday 2010-07-12. The ceremony is scheduled to begin at 1300 local time (2000 UTC) and is expected to end by 1900 local time (0200 UTC).
Video from Ceremony 2 will be recorded for audit purposes, as with Ceremony 1. Video and associated audit materials will be published before the signed root enters full production on 2010-07-15. Details will be circulated before that date.
ICANN will operate a separate camera whose video will not be retained for audit purposes, but which will instead be streamed live in order to provide remote observers an opportunity to watch the ceremony. The live stream will be provided on a best-effort basis.
The live video stream will be available at http://dns.icann.org/ksk/stream/.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone will take place on 2010-07-15.
Trust anchor publication, according to draft-icann-dnssec-trust-anchor-00 will take place after the maintenance window closes, once a final set of tests have been completed by ICANN and the results have been found to be positive.
FTP ACCESS TO SIGNED ZONE FILES
Following the transition on 2010-07-15 the unsigned root and ARPA zone files published at
ftp://rs.internic.net/domain/
ftp://ftp.internic.net/domain/
will be replaced by signed zone files. That is, the zone files retrieved from both FTP servers will contain DNSSEC data, and will hence faithfully represent the zones being served by root servers.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
- 2010-06-16: First Key Signing Key (KSK) Ceremony
To come:
- 2010-07-12: Second Key Signing Key (KSK) Ceremony
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
14 July 2010
This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2 COMPLETE
The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.
The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.
Audit materials relating to both the first and second ceremonies will be published today at
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
- 2010-06-16: First Key Signing Key (KSK) Ceremony
- 2010-07-12: Second Key Signing Key (KSK) Ceremony
To come:
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
16 July 2010
This is the twelfth of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We’d like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone took place on 2010-07-15 at 2050 UTC. The first full production signed root zone had SOA serial 2010071501. There have been no reported harmful effects. The root zone trust anchor can be found at https://data.iana.org/root-anchors/.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
- 2010-01-27: L starts to serve DURZ
- 2010-02-10: A starts to serve DURZ
- 2010-03-03: M, I start to serve DURZ
- 2010-03-24: D, K, E start to serve DURZ
- 2010-04-14: B, H, C, G, F start to serve DURZ
- 2010-05-05: J start to serve DURZ
- 2010-06-16: First Key Signing Key (KSK) Ceremony
- 2010-07-12: Second Key Signing Key (KSK) Ceremony
- 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
27 January 2011
Summary: We propose to enhance the validation procedure for top-level domains operators who wish to list DS records in the root zone. We will soon start testing for valid RRSIG records, in addition to testing the DS records match DNSKEYs listed in the top-level domain.
On 2010-07-15, the DNS root zone completely transitioned to its DNSSEC-signed state, signalling the end of the progressive launch program. As we now reach the six month anniversary of reaching full production, an increasing number of top-level domain operators have taken advantage of the signed root zone by listing their delegation signer records. These records allow their zones to validate using the chain-of-trust from the single root trust anchor key.
As with all root zone changes, ICANN, Verisign and the US Department of Commerce have worked together to accept listing requests from top-level domain managers, evaluate them to ensure they meet technical and operational requirements, and then list them in the root zone.
Experience
During the first half a year of experience with a signed root zone, we have been actively monitoring and gaining experience from TLD operators on how they have rolled out DNSSEC. While the majority of requests have been performed smoothly, we have observed in some cases we have received DS listing requests that pass our validation criteria, yet have issues with their name servers that can impact successful deployment of DNSSEC for the TLD concerned.
Specifically, in some cases, the DNSKEY is correctly listed in the zone, and the zone is signed, however the authoritative name server software is not deployed and configured correctly to return the correct RRSIG records when the DO-flag is set. The DO-flag is used to signal to a name server that the querier understands and wants a DNSSEC-signed response.
Such situations indicate a misconfiguration or problem within the top-level domain, whereby if the DS record was to be listed, would likely result in DNSSEC validation failures within that top-level domain for some users.
Proposed Updated to the DS Record Evaluation Procedure
In order to enhance stability of the global domain name system by identifying this issue, we propose to alter the technical requirements for listing delegation signer records in the DNS root zone.
- The current test, validating that for each DS record that is proposed to be listed in the DNS root zone, that each authoritative name server serves a matching DNSKEY, will be preserved.
- A new validation will be performed, whereby the DO-flag is set on the query for the DNSKEYs from each authoritative name service. We will check that (a) RRSIG records are returned, and that (b) the RRSIGs validate using one of the returned DNSKEY records that has the SEP-bit set.
In effect, this new test will not just check that the DS record is correct, but that basic DNSSEC functionality is correctly enabled in each of the authoritative servers.
As today, in the case where these validations fail, the TLD operator will be consulted by ICANN. Should the TLD operator still wish to proceed by understanding and accepting any risks associated with listing DS records that do not pass these tests, the root zone management partners will continue to process the request.
Proposed Implementation
ICANN proposes to introduce this process into its operational workflow in March 2011. From this time, ICANN will perform the new validation and notify top-level domain operators during the technical check phase of root zone processing. VeriSign will perform the same check just prior to implementation in the root zone.
We welcome your comments and feedback on this to rootsign@icann.org.