Search DNSSEC Blog


Thursday, January 14, 2010


Information about DNSSEC for the Root Zone

This website contains announcements, releases and other pertinent information about the deployment of DNSSEC for the root zone.

DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce.

Planned High Level Timeline

* December 1, 2009: Root zone signed for internal use by VeriSign and ICANN. ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
* January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
* Early May, 2010: All root servers are now serving the DURZ. The effects of the larger responses from the signed root, if any, would now be encountered.
* May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
* July 1, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.

Please note that this timeline is tentative and subject to change based on testing results or other unforeseen factors.

Get more info at

No comments:

Post a Comment