[DNSOP] Root Zone DNSSEC Deployment Technical Status Update
Joe Abley <jabley@hopcount.ca> Fri, 26 February 2010 17:00 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0BFFB28C249 for <dnsop@core3.amsl.com>; Fri, 26 Feb 2010 09:00:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oBPjVD7nY9Ky for <dnsop@core3.amsl.com>; Fri, 26 Feb 2010 09:00:32 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 6E97A28C272 for <dnsop@ietf.org>; Fri, 26 Feb 2010 09:00:29 -0800 (PST)
Received: from [199.212.90.23] (helo=dh23.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Nl3cR-0003c8-9Z; Fri, 26 Feb 2010 17:04:52 +0000
From: Joe Abley <jabley@hopcount.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 26 Feb 2010 12:02:40 -0500
Message-Id: <10779509-F048-4F31-8856-A14459D42399@hopcount.ca>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
X-SA-Exim-Connect-IP: 199.212.90.23
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: rootsign@icann.org
Subject: [DNSOP] Root Zone DNSSEC Deployment Technical Status Update
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2010 17:00:34 -0000
This is the third of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS. Apologies if you receive multiple copies of this message. RESOURCES Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/. We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org. DOCUMENTATION The following draft document was recently published: - Root Zone DNSSEC KSK Ceremonies Guide DEPLOYMENT STATUS KSR exchanges continue between development platforms at VeriSign and ICANN. Test exchanges between production servers, exercising regular operational staff and subject to production monitoring and availability measurements is scheduled to begin on 2010-03-01. Build-out of KSK Key Ceremony facilities at ICANN continues, and both facilities (east- and west-coast USA) are expected to be ready on schedule. The incremental deployment of DNSSEC in the Root Zone is being carried out first by serving a Deliberately-Unvalidatable Root Zone (DURZ), and subsequently by a conventionally-signed root zone. Discussion of the approach can be found in the document "DNSSEC Deployment for the Root Zone", as well as in the technical presentations delivered at RIPE, NANOG, IETF and ICANN meetings. L-Root made the transition to the DURZ on 2010-01-27, and A-Root did the same on 2010-02-10. No harmful effects of either transition have been identified. Some early analysis of packet captures from many root servers surrounding each event was recently presented at NANOG 48 in Austin, Texas, USA and can be found with other presentation materials at <http://www.root-dnssec.org/presentations/>. Those who are tracking the impact of the DURZ transition on root servers should note that the maintenance window for the M-Root DURZ transition has changed to 2010-03-03 0600--0800 UTC, two hours later than was originally advised. This change has been reflected in the deployment plan, which can be found with other project documentation at <http://www.root-dnssec.org/documentation/>. PLANNED DEPLOYMENT SCHEDULE Already completed: 2010-01-27: L starts to serve DURZ 2010-02-10: A starts to serve DURZ To come: 2010-03-03: M, I start to serve DURZ 2010-03-24: D, K, E start to serve DURZ 2010-04-14: B, H, C, G, F start to serve DURZ 2010-05-05: J starts to serve DURZ 2010-07-01: Distribution of validatable, production, signed root zone; publication of root zone trust anchor (Please note that this schedule is tentative and subject to change based on testing results or other unforseen factors.) A more detailed DURZ transition timetable with maintenance windows can be found in the document "DNSSEC Deployment for the Root Zone", the most recent draft of which can be found on the project web page at <http://www.root-dnssec.org/>.