[lacnog] Fwd: Root Zone DNSSEC Deployment Technical Status Update

Francisco Arias francisco en arias.com.mx
Jue Ene 14 17:02:54 BRST 2010

Les transmito un mensaje de actualización sobre la firma de la zona raíz. Es
de resaltar la publicación de varios documentos y el cambio de fecha para
iniciar la publicación de la zona raíz firmada (aunque no verificable) en el
serivor raíz L el 25 de enero próximo.



---------- Forwarded message ----------
From: Joe Abley <jabley en hopcount.ca>
Date: 2010/1/14
Subject: [dns-operations] Root Zone DNSSEC Deployment Technical Status
To: dns-operations en mail.dns-oarc.net
Cc: rootsign en icann.org

This is the second of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS. Apologies if you receive multiple copies of this message.


Details of the project, including documentation published to date,
can be found at http://www.root-dnssec.org/.

We'd like to hear from you. If you have feedback for us, please
send it to rootsign en icann.org.


The following draft documents were recently published:

- DNSSEC Deployment for the Root Zone

- DNSSEC Trust Anchor Publication for the Root Zone

The following documents are expected to be released as drafts within
the next few weeks:

- DNSSEC Test Plan for the Root Zone

- KSK Holder DNSSEC Facility Requirements


A second KSR exchange between ICANN and VeriSign took place on
2009-12-28. Signing, validation, measurement and monitoring
infrastructure continues to be tested.

The incremental deployment of DNSSEC in the Root Zone is being
carried out first by serving a Deliberately-Unvalidatable Root Zone
(DURZ), and subsequently by a conventionally-signed root zone.
Discussion of the approach can be found in the document "DNSSEC
Deployment for the Root Zone", as well as in the technical presentations
delivered at RIPE, NANOG, IETF and ICANN meetings.

Internal publication of the DURZ to root server operators began on
7 January 2010, to allow root server operators to do internal testing
and to refine internal monitoring or other operational systems.
Note that all root servers will continue to serve the unsigned root
zone during this internal testing of the DURZ.

Full packet capture exercises are planned by root server operators
on 2010-01-13 and 2010-01-19, with data being uploaded to OARC's
Day in the Life (DITL) infrastructure, in preparation for the full
packet captures that will take place during L's DURZ transition.


The recently-published deployment plan contains target maintenance
windows for each root server's transition to serve the DURZ. The
date for the first such transition, on the L root server, has been
deferred slightly to accommodate more extensive data capture and
measurement testing by all root servers, and also to allow an NSD
upgrade to be tested and deployed on L.

ICANN plans to serve the DURZ on L-Root using NSD 3.2.4, which is
better able to serve large DNS responses. See
<http://www.nlnetlabs.nl/projects/nsd/> for more details.

Week of 2010-01-25: L starts to serve DURZ

Week of 2010-02-08: A starts to serve DURZ

Week of 2010-03-01: M, I start to serve DURZ

Week of 2010-03-22: D, K, E start to serve DURZ

Week of 2010-04-12: B, H, C, G, F start to serve DURZ

Week of 2010-05-03: J starts to serve DURZ

2010-07-01: Distribution of validatable, production, signed root
 zone; publication of root zone trust anchor

(Please note that this schedule is tentative and subject to change
based on testing results or other unforseen factors.)

dns-operations mailing list
dns-operations en lists.dns-oarc.net
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20100114/9c5020b4/attachment.html>

Más información sobre la lista de distribución LACNOG