Revision as of 03:09, 15 May 2023 edit Paulehoffman (talk \| contribs) 173 edits More RFC updates ← Previous edit		Revision as of 22:27, 4 October 2023 edit undo Beland (talk \| contribs) Autopatrolled, Administrators 259,155 edits →Planning: Tense Tags: Mobile edit Mobile web edit Advanced mobile edit Next edit →
Line 246: On October 6, 2009, at the 59th [[RIPE]] Conference meeting, ICANN and VeriSign announced the planned deployment timeline for deploying DNSSEC within the root zone.<ref name="conf">{{cite web \| title = DNSSEC for the Root Zone \| url=http://www.ripe.net/ripe/meetings/ripe-59/presentations/abley-dnssec-root-zone.pdf}}</ref> At the meeting it was announced that it would be incrementally deployed to one root name server a month, starting on December 1, 2009, with the final root name server serving a DNSSEC signed zone on July 1, 2010, and the root zone will be signed with a RSA/SHA256 DNSKEY.<ref name="conf"/> During the incremental roll-out period the root zone will serve a ''Deliberately Unvalidatable Root Zone'' (DURZ) that uses dummy keys, with the final DNSKEY record not being distributed until July 1, 2010.<ref name="last-puzzle-pieces">{{Cite web \| last= Hutchinson \| first= James \| title= ICANN, Verisign place last puzzle pieces in DNSSEC saga \| work= NetworkWorld \| url= http://www.networkworld.com/news/2010/050610-icann-verisign-place-last-puzzle.html?hpg1=bn \| date= 6 May 2010 \| access-date= 17 May 2010 \| archive-date= 20 December 2013 \| archive-url= https://web.archive.org/web/20131220202008/http://www.networkworld.com/news/2010/050610-icann-verisign-place-last-puzzle.html?hpg1=bn \| url-status= dead }}</ref> This means the keys that were used to sign the zone use are deliberately unverifiable; the reason for this deployment was to monitor changes in traffic patterns caused by the larger responses to queries requesting DNSSEC resource records. The [[.org]] top-level ___domain ~~has been~~was signed with DNSSEC in June 2010, followed by [[.com]], [[.net]], and [[.edu]] later in 2010 and 2011.<ref>{{cite web\|url=http://www.thetechherald.com/article.php/201010/5366/DNSSEC-to-become-standard-on-ORG-domains-by-end-of-June\|title=DNSSEC to become standard on .ORG domains by end of June\|access-date=2010-03-24\|url-status=dead\|archive-url=https://web.archive.org/web/20100315143451/http://www.thetechherald.com/article.php/201010/5366/DNSSEC-to-become-standard-on-ORG-domains-by-end-of-June\|archive-date=2010-03-15}}</ref><ref>[https://web.archive.org/web/20110404225604/http://www.theinquirer.net/inquirer/news/2039648/verisign-deploys-dnssec-com-tld The Inquirer: Verisign deploys DNSSEC on .com TLD]</ref> [[Country code top-level ___domain]]s were able to deposit keys starting in May 2010.<ref name="heise">[http://www.h-online.com/security/news/item/More-security-for-root-DNS-servers-962569.html More security for root DNS servers] Heise Online, 24 March 2010</ref> {{As of\|2011\|11}} more than 25% of top-level domains are signed with DNSSEC.<ref>[http://www.circleid.com/posts/20111130_dnssec_update_from_icann_42_in_dakar/ CircleID: DNSSEC Update from ICANN 42 in Dakar]</ref> ====Implementation====

Domain Name System Security Extensions: Difference between revisions