LACNIC's DNSSEC Deployment
LACNIC's DNSSEC Deployment
Milestones
1. Enabling validation in LACNIC's recursive DNS servers
- a. Using lookaside validation: September 2010
- b. Using the signed root's KSK: December 2010
2. Preparing documentation (presentations, etc.)
- a. October - December 2010
3. Initial testing begins
- a. December 2010
4. Direct zones are signed in test mode
- a. December 2010
- i. Signing of "labs.lacnic.net" based on bind 9.7.3 and shell scripts
- i.1. DS record configured for lookaside validation
- ii. "proyectoamparo.net" domain based on bind 9.6.x and shell scripts
- ii.1. Set up of the complete validation tree installing DS records in the parent zone
- i. Signing of "labs.lacnic.net" based on bind 9.7.3 and shell scripts
5. OpenDNSSEC testing begins
- a. June 2011
6. Reverse zones are signed in testing
- i. The complete validation chain is set up installing DS records in in-addr.arpa and ip6.arpa using LACNIC's rDNS management system.
- ii. Workflow testing
- Signed using OpenDNSSEC 1.2
- Copies of the zone files generated by ns.lacnic.net to the hidden signer
- HS serves the zone back to ns and ns2 (operating as a hidden master, i.e. it does not appear in the zones' NSset).
7. Accepting DS records in the registration system
- a. April 2012: Testing begins
8. Signing server goes into production
- a. May 2012: Installation and setup begins
- b. August 2012: Pre-production testing with OpenDNSSEC begins
9. Alternate zones (lacnog, etc.) are signed
- a. September 2012
10. Main LACNIC domains (net, org, etc.) are signed
- a. October 2012
11. Reverse zones are signed
- a. October 2012
12. Processing of other RIRs' zonelets
- a. December 2012
13. Monitoring system and zone alarms
- a. September-October 2012