LACNIC's DNSSEC Deployment

Milestones

1. Enabling validation in LACNIC's recursive DNS servers

  • a. Using lookaside validation: September 2010
  • b. Using the signed root's KSK: December 2010

 

2. Preparing documentation (presentations, etc.)

  • a. October - December 2010

 

3. Initial testing begins

  • a. December 2010

 

4. Direct zones are signed in test mode

  • a. December 2010
    • i. Signing of "labs.lacnic.net" based on bind 9.7.3 and shell scripts
      • i.1. DS record configured for lookaside validation
    • ii. "proyectoamparo.net" domain based on bind 9.6.x and shell scripts
      • ii.1. Set up of the complete validation tree installing DS records in the parent zone

 

5. OpenDNSSEC testing begins

  • a. June 2011

 

6. Reverse zones are signed in testing

  • i. The complete validation chain is set up installing DS records in in-addr.arpa and ip6.arpa using LACNIC's rDNS management system.
  • ii. Workflow testing
    • Signed using OpenDNSSEC 1.2
    • Copies of the zone files generated by ns.lacnic.net to the hidden signer
    • HS serves the zone back to ns and ns2 (operating as a hidden master, i.e. it does not appear in the zones' NSset).

 

7. Accepting DS records in the registration system

  • a. April 2012: Testing begins

 

8. Signing server goes into production

  • a. May 2012: Installation and setup begins
  • b. August 2012: Pre-production testing with OpenDNSSEC begins

 

9. Alternate zones (lacnog, etc.) are signed

  • a. September 2012

 

10. Main LACNIC domains (net, org, etc.) are signed

  • a. October 2012

 

11. Reverse zones are signed

  • a. October 2012

 

12. Processing of other RIRs' zonelets

  • a. December 2012

 

13. Monitoring system and zone alarms

  • a. September-October 2012