DNSSEC project status
Here updated status for the DNSSEC project is presented.
The project is now nearly finished, and the deployment plan is also presented below.
- Status per 17 September 2014
- Deployment of DNSSEC – dates and contents
- DNSSEC in the test system
I. Status per 17 September 2014
All functionality for phase 1 and 2 is completed and have been in test in our test environment for a long time. Some of the functions have also been put in production. Corresponding technical documentation has been updated and developed, see III.
The test system for registrars has offered DNSSEC functionality since January, see IV.
The sj zone, which does not have any delegations and thus is well suited for testing of signing machinery and routines, was put into signed production in May 2014. This has been an importent part of the phase 1 testing.
Full phase 1 and phase 2 with DNSSEC functionality has in parallell been running in our test environment for several months.
Some final work remains on internal routines and some information material, but those tasks should be completed within the next few weeks.
The project has now come to a point where we have decided that the functionality can be deployed and put into production. See II for the deployment plan.
II. Deployment of DNSSEC – dates and contents
- 2014-11-04: Added more details, including the upgrade scheduled 2014-12-02.
- 2014-10-22: Added more details. Some minor corrections.
Deployment of DNSSEC will be performed during late autumn 2014.
The following dates are set:
14 till 21 October: Prior to phase 1 startup we will perform a site switchover from Oslo to Trondheim, where production will be running for a week. Then a switchover back to Oslo will be performed. This will be done for training purposes, and also to ensure that all required data is replicated between the sites.
Norid will start to introduce keys and DS records in our zones for internal testing. We have still not published any DS records for the no zone in the root zone, and no DNSSEC information will be included in our published zones.
21 October till 11 November: During this period, Norid will start signing the records in our zones. We have still not published any DS records for the no zone in the root zone, but DNSSEC information will be included in our zones as follows:
- 30 Oktober: We will start publishing of signed versions of the no zone as well as all the 787 sublevel zones which are also managed by Norid. The DS records for the sublevel zones will not yet be published in the no zone.
4 November: The DS records for the sublevel zones will be published in the no zone.
11 November: The DS records for the no zone will be sent to IANA for publication in the root zone. A few more days will then be needed before publication is finalized by IANA.
- 18 November: This is the assumed date when IANA should have completed publishing of the
DS records for the no zone.
We are then in production with phase 1 of the project, and the zones managed by Norid are signed by DNSSEC.
A production period of 3 weeks are then defined to ensure that everything works as expected.
Given that all is working as expected, we will continue with the phase 2 startup. However, if any problems are encountered, phase 2 startup will be postponed till January 2015.
- 2 December: Upgrade of the registry system to prepare for DNSSEC phase 2.
We will do an upgrade of the system and add DNSSEC functionality. The DNSSEC functions have been running in the test system since January, and are now added to the production system.
The upgrade will result in the following DNSSEC related changes:
The EPP interface is changed to become DNSSEC capable. This will be visible in the EPP greeting message, which will contain the DNSSEC scheme ‘secdns-1.1.xsd’.
The EPP client is upgraded to become DNSSEC capable. New DNSSEC specific parameters and functions will then be available. To facilitate an easy and quick ‘go unsecure’ possibility, a new bulk delete function is available which can be used to remove all DNSSEC information for a list of delegations.
The registrar web will show a new ‘DNSSEC enabled‘ parameter in the ‘Admin/Registry Access’ tab. This parameter is administered by Norid, and controls whether a registrar is allowed to administer DNSSEC data on his delegations.
The parameter will initially have the value ‘No’ for all registrars, which means that any attempts to add DNSSEC data will be rejected. Registrars who want to use DNSSEC must contact Norid and request activation of this DNSSEC parameter. All activation requests must be sent to firstname.lastname@example.org.
- 9 December: Phase 2 production start. DNSSEC in full production.
Registrars who has requested DNSSEC activation will get their registrar account DNSSEC enabled. They can then start to add DS records on delegations they want to secure.
The DNS checks which are performed by the registry system during creation and update of delegations are extended with some DNSSEC checks to ensure consistency towards the DNSSEC information found in DNS. The checks are performed when a delegation has at least one DS record, and are described in the documentation.
We have updated some of the external documentation during the project. Please see documentation for a description of the changes and references to the documents.
IV. DNSSEC in the test system
No further changes are planned in those interfaces, and they are considered stable enough to be used by registrars.
There are no reasons for the registrars to wait any loger with DNSSEC adaptions in their local systems. Registrars who intend to offer DNSSEC are encouranged to make necessary adaptions to their systems, and to test the system against the test service in good time before DNSSEC phase 2 is launched into production.
Please se III for necessary technical documentation.