Root Zone DNSSEC Deployment Technical Status Update - swinog

10 Jul 2010


      Root Zone DNSSEC Deployment
Technical Status Update 2010-07-10
This is the tenth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
RESOURCES
Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please
send it to rootsign@icann.org.
KSK CEREMONY 2
The second KSK ceremony for the root zone will take place in El
Segundo, CA, USA on Monday 2010-07-12. The ceremony is scheduled
to begin at 1300 local time (2000 UTC) and is expected to end by
1900 local time (0200 UTC).
Video from Ceremony 2 will be recorded for audit purposes, as with
Ceremony 1. Video and associated audit materials will be published
before the signed root enters full production on 2010-07-15. Details
will be circulated before that date.
ICANN will operate a separate camera whose video will not be retained
for audit purposes, but which will instead be streamed live in order
to provide remote observers an opportunity to watch the ceremony.
The live stream will be provided on a best-effort basis.
The live video stream will be available at:
http://dns.icann.org/ksk/stream/
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to
production signed root zone will take place on 2010-07-15.
Trust anchor publication, according to draft-icann-dnssec-trust-anchor-00
will take place after the maintenance window closes, once a final
set of tests have been completed by ICANN and the results have been
found to be positive.
FTP ACCESS TO SIGNED ZONE FILES
Following the transition on 2010-07-15 the unsigned root and ARPA
zone files published at
ftp://rs.internic.net/domain/
  ftp://ftp.internic.net/domain/
will be replaced by signed zone files. That is, the zone files
retrieved from both FTP servers will contain DNSSEC data, and will
hence faithfully represent the zones being served by root servers.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
To come:
2010-07-12: Second Key Signing Key (KSK) Ceremony
2010-07-15: Distribution of validatable, production, signed root
    zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
  based on testing results or other unforeseen factors.)