[DNSOP] Root zone DNSSEC deployment web site and technical status update

Matt Larson <mlarson@verisign.com> Tue, 15 December 2009 22:49 UTC

Return-Path: <mlarson@verisign.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id C059E3A684A for <dnsop@core3.amsl.com>; Tue, 15 Dec 2009 14:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id KHIaHhipZZh2 for <dnsop@core3.amsl.com>; Tue, 15 Dec 2009 14:49:18 -0800 (PST)
Received: from cliffie.verisignlabs.com (mail.verisignlabs.com []) by core3.amsl.com (Postfix) with ESMTP id 79E863A6816 for <dnsop@ietf.org>; Tue, 15 Dec 2009 14:49:18 -0800 (PST)
Received: from monsoon.verisignlabs.com (scooter.bo.labs.vrsn.com []) by cliffie.verisignlabs.com (Postfix) with ESMTP id EF19118E72 for <dnsop@ietf.org>; Tue, 15 Dec 2009 17:49:03 -0500 (EST)
Received: from dul1mcmlarson-l1.vcorp.ad.vrsn.com (dul1mcmlarson-l1.vcorp.ad.vrsn.com []) by monsoon.verisignlabs.com (Postfix) with ESMTP id D8E1524249E for <dnsop@ietf.org>; Tue, 15 Dec 2009 17:49:03 -0500 (EST)
Date: Tue, 15 Dec 2009 17:49:04 -0500
From: Matt Larson <mlarson@verisign.com>
To: dnsop@ietf.org
Message-ID: <20091215224904.GY13415@dul1mcmlarson-l1.vcorp.ad.vrsn.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: [DNSOP] Root zone DNSSEC deployment web site and technical status update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2009 22:49:20 -0000

The root zone DNSSEC deployment team is pleased to announce a new web
site with information about the project, http://www.root-dnssec.org.
The site serves as a repository for documentation and information
about deploying DNSSEC in the root zone, including technical status
updates.  The first status update is available on the site and is
included below, as well.  Additional documentation will be posted as
it becomes available.  Important announcements and future status
updates will appear in the site's RSS feed,

The design team welcomes your feedback: you can reach the entire team
at rootsign@icann.org.

On behalf of the root zone DNSSEC deployment team,

Matt Larson


Status Update, December, 2009

This is the first of a series of technical status updates intended to
inform a technical audience on the progress of deploying DNSSEC in the
root zone of the DNS.


Details of the project, including documentation published to date, can
be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please send
it to rootsign@icann.org.


This project involves the creation of a large volume of documentation,
individual components of which will be released as they have completed
internal review. The following documents are expected to be released
as drafts before the end of December 2009:

* Root Zone DNSSEC Deployment Plan
* Root Zone Trust Anchor Publication


Several root server operators have started testing a lightweight
packet capture tool designed to provide a full record of priming
queries received over the period covering DNSSEC deployment in the
root zone. We hope this data collection will be in full production on
all root servers before the end of December, providing baseline data
which will allow the reaction of the system as a whole to deployment
events to be observed.

On 2009-12-01, the first pre-production KSR exchange between ICANN and
VeriSign and the signing of the root zone within VeriSign's production
infrastructure commenced. The signing, validation, measurement and
monitoring infrastructure will now be subject to full internal


2009-12-01: KSR exchange, root zone signing begins, internal to
VeriSign and ICANN; generation of DURZ

Week of 2010-01-11: L starts to serve DURZ

Week of 2010-02-08: A starts to serve DURZ

Week of 2010-03-01: M, I start to serve DURZ

Week of 2010-03-22: D, K, E start to serve DURZ

Week of 2010-04-12: B, H, C, G, F start to serve DURZ

Week of 2010-05-03: J starts to serve DURZ

2010-07-01: Distribution of validatable, production, signed root zone;
publication of root zone trust anchor.

(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)