[DNSOP] Root Zone DNSSEC Deployment Technical Status Update

Joe Abley <jabley@hopcount.ca> Fri, 26 February 2010 17:00 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 0BFFB28C249 for <dnsop@core3.amsl.com>; Fri, 26 Feb 2010 09:00:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id oBPjVD7nY9Ky for <dnsop@core3.amsl.com>; Fri, 26 Feb 2010 09:00:32 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca []) by core3.amsl.com (Postfix) with ESMTP id 6E97A28C272 for <dnsop@ietf.org>; Fri, 26 Feb 2010 09:00:29 -0800 (PST)
Received: from [] (helo=dh23.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Nl3cR-0003c8-9Z; Fri, 26 Feb 2010 17:04:52 +0000
From: Joe Abley <jabley@hopcount.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 26 Feb 2010 12:02:40 -0500
Message-Id: <10779509-F048-4F31-8856-A14459D42399@hopcount.ca>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: rootsign@icann.org
Subject: [DNSOP] Root Zone DNSSEC Deployment Technical Status Update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2010 17:00:34 -0000

This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. Apologies if you receive multiple copies of this message.


Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign@icann.org.


The following draft document was recently published:

- Root Zone DNSSEC KSK Ceremonies Guide


KSR exchanges continue between development platforms at VeriSign
and ICANN. Test exchanges between production servers, exercising
regular operational staff and subject to production monitoring and
availability measurements is scheduled to begin on 2010-03-01.

Build-out of KSK Key Ceremony facilities at ICANN continues, and
both facilities (east- and west-coast USA) are expected to be ready
on schedule.

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately-Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally-signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

L-Root made the transition to the DURZ on 2010-01-27, and A-Root
did the same on 2010-02-10. No harmful effects of either transition
have been identified. Some early analysis of packet captures from
many root servers surrounding each event was recently presented at
NANOG 48 in Austin, Texas, USA and can be found with other presentation
materials at <http://www.root-dnssec.org/presentations/>.

Those who are tracking the impact of the DURZ transition on root
servers should note that the maintenance window for the M-Root DURZ
transition has changed to 2010-03-03 0600--0800 UTC, two hours later
than was originally advised. This change has been reflected in the
deployment plan, which can be found with other project documentation
at <http://www.root-dnssec.org/documentation/>.


Already completed:

  2010-01-27: L starts to serve DURZ

  2010-02-10: A starts to serve DURZ

To come:

  2010-03-03: M, I start to serve DURZ

  2010-03-24: D, K, E start to serve DURZ

  2010-04-14: B, H, C, G, F start to serve DURZ

  2010-05-05: J starts to serve DURZ

  2010-07-01: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor

  (Please note that this schedule is tentative and subject to change
  based on testing results or other unforseen factors.)

A more detailed DURZ transition timetable with maintenance windows
can be found in the document "DNSSEC Deployment for the Root Zone",
the most recent draft of which can be found on the project web page
at <http://www.root-dnssec.org/>.