Keyboard Shortcuts
Thread View
j: Next unread messagek: Previous unread messagej a: Jump to all threadsj l: Jump to MailingList overview
[pacnog] Root Zone DNSSEC Deployment Technical Status Update
Root Zone DNSSEC Deployment Technical Status Update 2010-07-14
This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2 COMPLETE
The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.
The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.
Audit materials relating to both the first and second ceremonies will be published today at http://www.iana.org/dnssec/.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-12: Second Key Signing Key (KSK) Ceremony
To come:
2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
Joe,
Pass the 15th July, what command should I use to check DNSSEC is operational. Do you have one or more examples?
dig +dnssec ???
Franck Martin http://www.avonsys.com/ http://www.facebook.com/Avonsys twitter: FranckMartin Avonsys
Check your domain reputation: http://gurl.im/b69d4o
----- Original Message ----- From: "Joe Abley" joe.abley@icann.org To: pacnog@pacnog.org Sent: Thursday, 15 July, 2010 10:12:35 AM Subject: [pacnog] Root Zone DNSSEC Deployment Technical Status Update
Root Zone DNSSEC Deployment Technical Status Update 2010-07-14
This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2 COMPLETE
The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.
The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.
Audit materials relating to both the first and second ceremonies will be published today at http://www.iana.org/dnssec/.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-12: Second Key Signing Key (KSK) Ceremony
To come:
2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
_______________________________________________ pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog
Hi Franck,
After the final transition you can look for an unobscured key at the apex of the root zone (e.g. dig @L.ROOT-SERVERS.NET . dnskey) and a trust anchor published in the various ways described in the trust anchor publication specification, which can be found at http://www.root-dnssec.org/ (look in the documentation section).
Once you have a trusted copy of the public part of the root zone KSK, you can configure a trust anchor and test validation, e.g. using BIND9 or Unbound.
Joe
On 2010-07-14, at 15:24, "Franck Martin" franck@avonsys.com wrote:
Joe,
Pass the 15th July, what command should I use to check DNSSEC is operational. Do you have one or more examples?
dig +dnssec ???
Franck Martin http://www.avonsys.com/ http://www.facebook.com/Avonsys twitter: FranckMartin Avonsys
Check your domain reputation: http://gurl.im/b69d4o
----- Original Message ----- From: "Joe Abley" joe.abley@icann.org To: pacnog@pacnog.org Sent: Thursday, 15 July, 2010 10:12:35 AM Subject: [pacnog] Root Zone DNSSEC Deployment Technical Status Update
Root Zone DNSSEC Deployment Technical Status Update 2010-07-14
This is the eleventh of a series of technical status updates intended to inform a technical audience on progress in signing the root zone of the DNS.
RESOURCES
Details of the project, including documentation published to date, can be found at http://www.root-dnssec.org/.
We'd like to hear from you. If you have feedback for us, please send it to rootsign@icann.org.
KSK CEREMONY 2 COMPLETE
The second KSK ceremony for the root zone was completed this week in El Segundo, CA, USA. The Ceremony Administrator was Mehmet Akcin.
The second production Key Signing Request (KSR) generated by VeriSign has now been processed by ICANN using the root zone KSK generated in KSK Ceremony 1, and the resulting Signed Key Response (SKR) has been accepted by VeriSign. This SKR contains signatures for Q4 2010, for use between 2010-10-01 and 2010-12-31.
Audit materials relating to both the first and second ceremonies will be published today at http://www.iana.org/dnssec/.
FULL PRODUCTION SIGNED ROOT ZONE
The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone is scheduled take place on 2010-07-15 within a maintenance window which begins at 1930 UTC and ends at 2330 UTC. This is the usual window for the generation and distribution of root zones with SOA serials ending in 01.
PLANNED DEPLOYMENT SCHEDULE
Already completed:
2010-01-27: L starts to serve DURZ
2010-02-10: A starts to serve DURZ
2010-03-03: M, I start to serve DURZ
2010-03-24: D, K, E start to serve DURZ
2010-04-14: B, H, C, G, F start to serve DURZ
2010-05-05: J starts to serve DURZ
2010-06-16: First Key Signing Key (KSK) Ceremony
2010-07-12: Second Key Signing Key (KSK) Ceremony
To come:
2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor
(Please note that this schedule is tentative and subject to change based on testing results or other unforeseen factors.)
pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog
It seems here ;)
I suppose dot org should be next soon?
also http://www.nlnetlabs.nl/publications/dnssec_howto/index.html seems an easier read than the http://www.root-dnssec.org/ documentation.
dig @L.ROOT-SERVERS.NET . dnskey
; <<>> DiG 9.6.0-APPLE-P2 <<>> @L.ROOT-SERVERS.NET . dnskey ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30953 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available
;; QUESTION SECTION: ;. IN DNSKEY
;; ANSWER SECTION: . 86400 IN DNSKEY 256 3 8 AwEAAb1gcDhBlH/9MlgUxS0ik2dwY/JiBIpV+EhKZV7LccxNc6Qlj467 QjHQ3Fgm2i2LE9w6LqPFDSng5qVq1OYFyTBt3DQppqDnAPriTwW5qIQN DNFv34yo63sAdBeU4G9tv7dzT5sPyAgmVh5HDCe+6XM2+Iel1+kUKCel 8Icy19hR . 86400 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
;; Query time: 204 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Fri Jul 16 09:41:10 2010 ;; MSG SIZE rcvd: 439
Franck Martin http://www.avonsys.com/ http://www.facebook.com/Avonsys twitter: FranckMartin Avonsys
Check your domain reputation: http://gurl.im/b69d4o
----- Original Message ----- From: "Joe Abley" joe.abley@icann.org To: "Franck Martin" franck@avonsys.com Cc: pacnog@pacnog.org Sent: Thursday, 15 July, 2010 11:23:47 AM Subject: Re: [pacnog] Root Zone DNSSEC Deployment Technical Status Update
Hi Franck,
After the final transition you can look for an unobscured key at the apex of the root zone (e.g. dig @L.ROOT-SERVERS.NET . dnskey) and a trust anchor published in the various ways described in the trust anchor publication specification, which can be found at http://www.root-dnssec.org/ (look in the documentation section).
Once you have a trusted copy of the public part of the root zone KSK, you can configure a trust anchor and test validation, e.g. using BIND9 or Unbound.
Joe
Activity Summary
- 4632 days inactive
- 4632 days old
- pacnog@pacnog.org
- 2 participants
- 3 comments