[Micronet] Root DNS zone now DNSSEC signed

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Micronet] Root DNS zone now DNSSEC signed

Michael Sinatra-2

As of yesterday afternoon (our time), the root DNS zone (".") was
digitally signed using production DNSSEC keys, through a cooperative
effort on the part of "ICANN Staff," "IANA Staff," and "Verisign Staff."
  The root zone is the very first zone consulted by a recursive
nameserver as it attempts to look up various domain names.  Because it
sits at the top of the DNS hierarchy, the signing of the root zone
represents a huge and historic step in improving the security of the DNS.


In order to make use of the signed root, one must install the public key
in a nameserver as a trust-anchor.  Please note that "IST Staff" will
not be installing the root trust-anchor in the production campus
recursive DNS servers immediately, but will continue to use
domain-lookaside validation using ISC's DLV and its trust-anchor.  "IST
Staff" will begin extensive testing of the root trust-anchor and root
zone validation, with the intent of production implementation in the
near future.  This testing will initially begin on the DNS servers used
for BFSv9.**

Existing signed top-level domains (TLDs) are beginning to add DS
(delegated-signer) records into the root zone, which links the signed
root to signed subdomains, thereby establishing a chain of trust.  Later
this year, EDU will be signed, which will eventually allow UC Berkeley
to establish a chain of trust between berkeley.edu and (ultimately) the
root.  COM and NET will likely be signed in the first part of 2011.  COM
presents its own set of technical challenges, since it is so large.  ORG
and GOV are already signed, and the DS records will appear in the root
zone in the next few days or weeks.

Again, this is a very big step (possibly *the* biggest step) in the
global deployment of DNSSEC, the DNS Security Extensions.

Michael Sinatra
Network Operations and Services
a unit of
IST Network Services*

* As requested by Bruce Lorenzen, all of IST Voice and Data Networking
is now called "Network Services."  The previously-named "Network
Services Group" has been called "Network Operations and Services" since

** Just kidding on the BFSv9 part.

The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:


Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.