Root Zone DNSSEC Deployment Technical Status Update 2010-07-14
This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2 COMPLETE
The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.
The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.
Audit materials relating to both the first and second ceremonies will be published today at http://www.iana.org/dnssec/.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-12: Second Key Signing Key (KSK) Ceremony
To come:
2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)