LACNIC's DNSSEC Deployment
LACNIC's DNSSEC Deployment
Milestones
1. Enabling validation in LACNIC's recursive DNS servers
- a. Using lookaside validation: September 2010
- b. Using the signed root's KSK: December 2010
2. Preparing documentation (presentations, etc.)
- a. October - December 2010
3. Initial testing begins
4. Direct zones are signed in test mode
- a. December 2010
- i. Signing of "labs.lacnic.net" based on bind 9.7.3 and shell scripts
- i.1. DS record configured for lookaside validation
- ii. "proyectoamparo.net" domain based on bind 9.6.x and shell scripts
- ii.1. Set up of the complete validation tree installing DS records in the parent zone
5. OpenDNSSEC testing begins
6. Reverse zones are signed in testing
- i. The complete validation chain is set up installing DS records in in-addr.arpa and ip6.arpa using LACNIC's rDNS management system.
- ii. Workflow testing
- Signed using OpenDNSSEC 1.2
- Copies of the zone files generated by ns.lacnic.net to the hidden signer
- HS serves the zone back to ns and ns2 (operating as a hidden master, i.e. it does not appear in the zones' NSset).
7. Accepting DS records in the registration system
- a. April 2012: Testing begins
8. Signing server goes into production
- a. May 2012: Installation and setup begins
- b. August 2012: Pre-production testing with OpenDNSSEC begins
9. Alternate zones (lacnog, etc.) are signed
10. Main LACNIC domains (net, org, etc.) are signed
11. Reverse zones are signed
12. Processing of other RIRs' zonelets
13. Monitoring system and zone alarms
- a. September-October 2012
CHK_LACNIC