May 062010



Planned High Level Timeline

  • December 1, 2009: Root zone signed for internal use by VeriSign and ICANN.  ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
  • January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
  • Early May, 2010: All root servers are now serving the DURZ.  The effects of the larger responses from the signed root, if any, would now be encountered.
  • May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
  • July 1, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.



从今天刚刚发布的这篇文章来看–《Status Update, 2010-05-05》,实施DNSSec的兄弟们已经做好了一个实现准备好的假根Zone — Deliberately Unvalidatable Root Zone (DURZ),然后接下来的时间内观察并研究DNSSec的流量,并决定是否进一步将其推向生产环境。