LACNIC's DNSSEC Deployment


1. Enabling validation in LACNIC's recursive DNS servers

  • a. Using lookaside validation: September 2010
  • b. Using the signed root's KSK: December 2010


2. Preparing documentation (presentations, etc.)

  • a. October - December 2010


3. Initial testing begins

  • a. December 2010


4. Direct zones are signed in test mode

  • a. December 2010
    • i. Signing of "" based on bind 9.7.3 and shell scripts
      • i.1. DS record configured for lookaside validation
    • ii. "" domain based on bind 9.6.x and shell scripts
      • ii.1. Set up of the complete validation tree installing DS records in the parent zone


5. OpenDNSSEC testing begins

  • a. June 2011


6. Reverse zones are signed in testing

  • i. The complete validation chain is set up installing DS records in and using LACNIC's rDNS management system.
  • ii. Workflow testing
    • Signed using OpenDNSSEC 1.2
    • Copies of the zone files generated by to the hidden signer
    • HS serves the zone back to ns and ns2 (operating as a hidden master, i.e. it does not appear in the zones' NSset).


7. Accepting DS records in the registration system

  • a. April 2012: Testing begins


8. Signing server goes into production

  • a. May 2012: Installation and setup begins
  • b. August 2012: Pre-production testing with OpenDNSSEC begins


9. Alternate zones (lacnog, etc.) are signed

  • a. September 2012


10. Main LACNIC domains (net, org, etc.) are signed

  • a. October 2012


11. Reverse zones are signed

  • a. October 2012


12. Processing of other RIRs' zonelets

  • a. December 2012


13. Monitoring system and zone alarms

  • a. September-October 2012