{"id":4683,"date":"2010-08-03T12:04:24","date_gmt":"2010-08-03T19:04:24","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=4683"},"modified":"2020-05-06T10:31:45","modified_gmt":"2020-05-06T17:31:45","slug":"a-brief-update-on-dnssec-deployment","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/","title":{"rendered":"A Brief Update on DNSSEC Deployment"},"content":{"rendered":"<p>In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone. The root zone was signed July 15th, and the .edu zone was signed on August 2nd.<\/p>\n<p>The signing of the root zone was the culmination of a long, deliberate rollout process designed to ensure that the introduction of DNSSEC wouldn&#8217;t inadvertently cause resolution problems, particularly with older nameservers. The worry was that signing the root would render these older name servers unable to resolve domain names. Consequently, the rollout of the signed root zone proceeded in stages, with a signed copy of the zone pushed to only a subset of the root name servers on predetermined dates. After each date, measurements would be taken at all of the root name servers to determine whether traffic was shifting from the name servers hosting the newly signed root zone to those still serving the unsigned root. Only if the effects were deemed negligible would the rollout continue to the next group of root name servers.<\/p>\n<p>That process was completed before July 15th, but the signed copy that all the root name servers were then serving had been made deliberately unvalidate-able. To sign the root zone so that recursive name servers could validate records in it, ICANN needed to generate the root zones Key-Signing Key pair, VeriSign had to generate the Zone-Signing Key pair, and the public portion of the Zone-Signing Key needed to be signed by the private portion of the Key-Signing Key in a special key signing ceremony. (If you&#8217;re interested in an insiders view of the signing ceremony, check out <a href=\"http:\/\/www.ask-mrdns.com\/2010\/07\/episode-17\/\" target=\"_blank\" rel=\"noopener noreferrer\">this episode<\/a> of the <a href=\"http:\/\/www.ask-mrdns.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ask Mr. DNS Podcast<\/a>. My friend and co-host, Matt Larson, represented VeriSign in the ceremony.)<\/p>\n<p>Two of the next red-letter days in DNSSECs deployment are coming up over the next 12 months or so, though the exact dates aren&#8217;t known yet: VeriSign will sign the .netzone before the end of the year (I&#8217;m guessing in December), and the .com zone some time in 2011. At that point, recursive name servers will be able to validate signed responses from a substantial portion of the Internet&#8217;s namespace by working their way down from a single configured trust anchor, the root zones Key-Signing Key and you wonthave an excuse for not signing your Internet-facing zones!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone. The root zone was signed July 15th, and the .edu zone was signed on August 2nd. The signing of the root zone was the culmination of a long, deliberate [&hellip;]<\/p>\n","protected":false},"author":178,"featured_media":2663,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[2],"tags":[30,229,16,15],"class_list":{"0":"post-4683","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security","8":"tag-dns","9":"tag-dnssec","10":"tag-infoblox","11":"tag-security","12":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>A Brief Update on DNSSEC Deployment<\/title>\n<meta name=\"description\" content=\"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A Brief Update on DNSSEC Deployment\" \/>\n<meta property=\"og:description\" content=\"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2010-08-03T19:04:24+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-06T17:31:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"660\" \/>\n\t<meta property=\"og:image:height\" content=\"454\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Cricket Liu\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Cricket Liu\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/\"},\"author\":{\"name\":\"Cricket Liu\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\"},\"headline\":\"A Brief Update on DNSSEC Deployment\",\"datePublished\":\"2010-08-03T19:04:24+00:00\",\"dateModified\":\"2020-05-06T17:31:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/\"},\"wordCount\":401,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Youve-Been-Hacked.jpg\",\"keywords\":[\"DNS\",\"DNSSEC\",\"Infoblox\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/\",\"name\":\"A Brief Update on DNSSEC Deployment\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Youve-Been-Hacked.jpg\",\"datePublished\":\"2010-08-03T19:04:24+00:00\",\"dateModified\":\"2020-05-06T17:31:45+00:00\",\"description\":\"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Youve-Been-Hacked.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/Youve-Been-Hacked.jpg\",\"width\":660,\"height\":454,\"caption\":\"You've Been Hacked: Infoblox Finds 4 out of 5 Enterprise Networks Could be Compromised, Based on DNS\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/security\\\/a-brief-update-on-dnssec-deployment\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"A Brief Update on DNSSEC Deployment\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/bb6b62b1b99a7cbcd7c528d5763778d5\",\"name\":\"Cricket Liu\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/cricket-new-96x96.jpg\",\"caption\":\"Cricket Liu\"},\"description\":\"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/cricket-liu\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"A Brief Update on DNSSEC Deployment","description":"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/","og_locale":"en_US","og_type":"article","og_title":"A Brief Update on DNSSEC Deployment","og_description":"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.","og_url":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/","og_site_name":"Infoblox Blog","article_published_time":"2010-08-03T19:04:24+00:00","article_modified_time":"2020-05-06T17:31:45+00:00","og_image":[{"width":660,"height":454,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg","type":"image\/jpeg"}],"author":"Cricket Liu","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Cricket Liu","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/"},"author":{"name":"Cricket Liu","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5"},"headline":"A Brief Update on DNSSEC Deployment","datePublished":"2010-08-03T19:04:24+00:00","dateModified":"2020-05-06T17:31:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/"},"wordCount":401,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg","keywords":["DNS","DNSSEC","Infoblox","Security"],"articleSection":["Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/","url":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/","name":"A Brief Update on DNSSEC Deployment","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg","datePublished":"2010-08-03T19:04:24+00:00","dateModified":"2020-05-06T17:31:45+00:00","description":"In the last few weeks, we passed two more important milestones in the deployment of DNSSEC: the signing of the root zone and the .edu zone.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/Youve-Been-Hacked.jpg","width":660,"height":454,"caption":"You've Been Hacked: Infoblox Finds 4 out of 5 Enterprise Networks Could be Compromised, Based on DNS"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/security\/a-brief-update-on-dnssec-deployment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.infoblox.com\/blog\/category\/security\/"},{"@type":"ListItem","position":3,"name":"A Brief Update on DNSSEC Deployment"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/bb6b62b1b99a7cbcd7c528d5763778d5","name":"Cricket Liu","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/cricket-new-96x96.jpg","caption":"Cricket Liu"},"description":"Cricket is one of the world\u2019s leading experts on the Domain Name System (DNS) and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an internet consulting and training company, Acme Byte &amp; Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including \u201cDNS and BIND,\u201d one of the most widely used references in the field, now in its fifth edition.","url":"https:\/\/www.infoblox.com\/blog\/author\/cricket-liu\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/178"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=4683"}],"version-history":[{"count":1,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4683\/revisions"}],"predecessor-version":[{"id":4684,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/4683\/revisions\/4684"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/2663"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=4683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=4683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=4683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}