Root Zone DNSSEC Deployment
Technical Status Update 2010-06-18
This is the ninth of a series of technical status updates intended
to inform a technical audience on progress in signing the root zone
of the DNS.
Details of the project, including documentation published to date,
can be found at <http://www.root-dnssec.org/>.
We'd like to hear from you. If you have feedback for us, please
send it to [log in to unmask]
KSK CEREMONY 1 COMPLETE
The first KSK ceremony for the root zone was completed this week
in Culpeper, VA, USA. The Ceremony Administrator was Mehmet Akcin.
The first production KSK has now been generated. This is the key
that is scheduled to be put into service on 2010-07-15.
The first production Key Signing Request (KSR) generated by VeriSign
has now been processed by ICANN using the root zone KSK, and the
resulting Signed Key Response (KSR) has been accepted by VeriSign.
This SKR contains signatures for Q3 2010, for use between 2010-07-01
Audit materials relating to the first ceremony will be published
as soon as is practical, and in particular before 2010-07-15.
The KSK and SKR generated during this ceremony will not be approved
for production until the KSK key pair has been successfully transported
to ICANN's west-coast ceremony facility in El Segundo, CA, USA, and
placed in secure storage.
KSK CEREMONY 2 SCHEDULED
The second KSK ceremony for the root zone is scheduled to take place
in El Segundo, CA, USA on 2010-07-12. Replication of key materials
onto west-coast HSMs, enrolment of west-coast crypto officers and
processing of the Q4 2010 KSR (for production use between 2010-10-01
and 2010-12-31) will take place during this ceremony.
PLANNED DEPLOYMENT SCHEDULE
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-12: Second Key Signing Key (KSK) Ceremony
2010-07-15: Distribution of validatable, production, signed root
zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change
based on testing results or other unforeseen factors.)