Public DENIC mailinglist

[DENIC Presse <presse AT denic.de>]

Dear Sir or Madam,

As already announced in February, productive operation of DNSSEC will 
start in the .de zone on 31 May 2011. We would like to point out a few 
things in this context and explain where you can find additional 
information. 

At the start of 2010, the DNSSEC testbed was configured appropriately to 
principally enable the recording of key material for Second Level Domains 
in the registration database of DENIC. For quite some time it has thus 
been possible for you to record such material through an administering 
provider (registrar) for your signed Second Level Domain. Up to now the 
corresponding data was displayed only in responses from the public 
information services (whois, web-based domain queries). In the DNS itself 
it was published exclusively via the separate testbed infrastructure. As 
from 31 May these so-called DS records will be published in the then 
signed DE zone and thus also be visible outside of the testbed 
infrastructure.

DNSSEC will remain optional even after 31 May. This means you are not 
obliged to sign delegated domains or record keys for these domains in the 
database. The so-called "nsentry" domains - their records being stored and 
being authoritative directly in the .de zone - will be recorded 
automatically by DNSSEC and provided with the corresponding signatures. 
This procedure currently is and will remain effective in the testbed 

It will take a few days after 31 May before validation of .de domains will 
be possible. This is because new, official DS records for the .de zone 
must be stored and activated in the root zone to enable problem-free 
operation. However, to do this, the keys must first be visible and 
effective in the .de zone. Please note that - contrary to the situation in 
the DNSSEC testbed - there is no need to configure a separate trust anchor 
in addition to the one used for the root zone nor is it recommended! 
Detailed information about validation will be made available soon.

The introduction of DNSSEC in the .de zone will follow the DURZ procedure 
applied for the root zone. The DUdeZ (deliberately unvalidatable DE zone) 
will be equipped with DS records based on the Key Signing Keys (KSKs) 
stored in the registration system and will also be fully signed in all 
other respects. However, the DNSKEY-RRs for .de will be replaced by 
DNSKEY-RRs with identical key tags which explicitly reject validation. 
Step by step, we will provide all 16 DENIC name server locations with 
these data. The precise up-to-date status during the launch phase will be 
shown on our website at http://www.denic.de/dnssec. Here, you will also 
find further information about DNSSEC.

In preparation of the DNSSEC rollout we will publish DS records of Key 
Signing Keys of Second Level Domains then recorded in the unsigned .de 
zone during a transition period and later within the DUdeZ. We will do 
this for reasons of internal consistency of procedures. Currently affected 
are the participants of the DNSSEC testbed. As long as they are not signed 
the DS records are not of any use for validation. However, they do no harm 
either since today's validating resolvers will only query DS records if 
they expect the query to be successful. But a .de zone still categorized 
as unsigned in the root zone renders success impossible.

The introduction of DNSSEC on 31 May will occur exclusively for the Top 
Level Domain .de. Signing of 9.4.E164.ARPA is not currently planned and no 
recording of key material for ENUM domains is intended.

Best regards

Beate Schulz
Public Relations
-- 

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: presse AT denic.de
Fon: +49 69 27235-274 
Fax: +49 69 27235-235
http://www.denic.de

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Sabine Dolderer, Helga Krüger, Carsten Schiefner, Dr. Jörg 
Schweiger 
Vorsitzender des Aufsichtsrats: Elmar Knipp
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht 
Frankfurt am Main