[DNSOP] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley <jabley@hopcount.ca> Thu, 14 January 2010 16:46 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 0EBFF3A688A for <dnsop@core3.amsl.com>; Thu, 14 Jan 2010 08:46:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2+zV+rCAPYB4 for <dnsop@core3.amsl.com>; Thu, 14 Jan 2010 08:46:24 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca []) by core3.amsl.com (Postfix) with ESMTP id B70B23A63D3 for <dnsop@ietf.org>; Thu, 14 Jan 2010 08:46:24 -0800 (PST)
Received: from [] (helo=dh17.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1NVSpu-0000TX-Pw; Thu, 14 Jan 2010 16:46:19 +0000
From: Joe Abley <jabley@hopcount.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Date: Thu, 14 Jan 2010 11:46:17 -0500
Message-Id: <58E421E4-C7E2-486C-B12A-DCA7F0B2ADC2@hopcount.ca>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: rootsign@icann.org
Subject: [DNSOP] Root Zone DNSSEC Deployment Technical Status Update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2010 16:46:26 -0000

This is the second of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS. Apologies if you receive multiple copies of this message.


Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign@icann.org.


The following draft documents were recently published:

- DNSSEC Deployment for the Root Zone

- DNSSEC Trust Anchor Publication for the Root Zone

The following documents are expected to be released as drafts within
the next few weeks:

- DNSSEC Test Plan for the Root Zone

- KSK Holder DNSSEC Facility Requirements


A second KSR exchange between ICANN and VeriSign took place on
2009-12-28. Signing, validation, measurement and monitoring
infrastructure continues to be tested.

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately-Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally-signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

Internal publication of the DURZ to root server operators began on
7 January 2010, to allow root server operators to do internal testing
and to refine internal monitoring or other operational systems.
Note that all root servers will continue to serve the unsigned root
zone during this internal testing of the DURZ.

Full packet capture exercises are planned by root server operators
on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's
Day in the Life (DITL) infrastructure, in preparation for the full
packet captures that will take place during L's DURZ transition.


The recently-published deployment plan contains target maintenance
windows for each root server's transition to serve the DURZ. The
date for the first such transition, on the L root server, has been
deferred slightly to accommodate more extensive data capture and
measurement testing by all root servers, and also to allow an NSD
upgrade to be tested and deployed on L.

ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is
better able to serve large DNS responses. See
<http://www.nlnetlabs.nl/projects/nsd/> for more details.

Week of 2010-01-25: L starts to serve DURZ

Week of 2010-02-08: A starts to serve DURZ

Week of 2010-03-01: M, I start to serve DURZ

Week of 2010-03-22: D, K, E start to serve DURZ

Week of 2010-04-12: B, H, C, G, F start to serve DURZ

Week of 2010-05-03: J starts to serve DURZ

2010-07-01: Distribution of validatable, production, signed root
  zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change
based on testing results or other unforseen factors.)