Skip to Content.
Sympa Menu

public-l - [DENICpublic-l] Deployment of DNSSEC in the productive zone

public-l AT

Subject: Public DENIC mailinglist

List archive

[DENICpublic-l] Deployment of DNSSEC in the productive zone

Chronological Thread 
  • From: DENIC Presse <presse AT>
  • To: Public-L <public-l AT>
  • Subject: [DENICpublic-l] Deployment of DNSSEC in the productive zone
  • Date: Wed, 18 May 2011 11:21:58 +0200
  • List-id: public-l <>

Dear Sir or Madam,

As already announced in February, productive operation of DNSSEC will
start in the .de zone on 31 May 2011. We would like to point out a few
things in this context and explain where you can find additional

At the start of 2010, the DNSSEC testbed was configured appropriately to
principally enable the recording of key material for Second Level Domains
in the registration database of DENIC. For quite some time it has thus
been possible for you to record such material through an administering
provider (registrar) for your signed Second Level Domain. Up to now the
corresponding data was displayed only in responses from the public
information services (whois, web-based domain queries). In the DNS itself
it was published exclusively via the separate testbed infrastructure. As
from 31 May these so-called DS records will be published in the then
signed DE zone and thus also be visible outside of the testbed

DNSSEC will remain optional even after 31 May. This means you are not
obliged to sign delegated domains or record keys for these domains in the
database. The so-called "nsentry" domains - their records being stored and
being authoritative directly in the .de zone - will be recorded
automatically by DNSSEC and provided with the corresponding signatures.
This procedure currently is and will remain effective in the testbed

It will take a few days after 31 May before validation of .de domains will
be possible. This is because new, official DS records for the .de zone
must be stored and activated in the root zone to enable problem-free
operation. However, to do this, the keys must first be visible and
effective in the .de zone. Please note that - contrary to the situation in
the DNSSEC testbed - there is no need to configure a separate trust anchor
in addition to the one used for the root zone nor is it recommended!
Detailed information about validation will be made available soon.

The introduction of DNSSEC in the .de zone will follow the DURZ procedure
applied for the root zone. The DUdeZ (deliberately unvalidatable DE zone)
will be equipped with DS records based on the Key Signing Keys (KSKs)
stored in the registration system and will also be fully signed in all
other respects. However, the DNSKEY-RRs for .de will be replaced by
DNSKEY-RRs with identical key tags which explicitly reject validation.
Step by step, we will provide all 16 DENIC name server locations with
these data. The precise up-to-date status during the launch phase will be
shown on our website at Here, you will also
find further information about DNSSEC.

In preparation of the DNSSEC rollout we will publish DS records of Key
Signing Keys of Second Level Domains then recorded in the unsigned .de
zone during a transition period and later within the DUdeZ. We will do
this for reasons of internal consistency of procedures. Currently affected
are the participants of the DNSSEC testbed. As long as they are not signed
the DS records are not of any use for validation. However, they do no harm
either since today's validating resolvers will only query DS records if
they expect the query to be successful. But a .de zone still categorized
as unsigned in the root zone renders success impossible.

The introduction of DNSSEC on 31 May will occur exclusively for the Top
Level Domain .de. Signing of 9.4.E164.ARPA is not currently planned and no
recording of key material for ENUM domains is intended.

Best regards

Beate Schulz
Public Relations

Kaiserstraße 75-77
60329 Frankfurt am Main

E-Mail: presse AT
Fon: +49 69 27235-274
Fax: +49 69 27235-235

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Sabine Dolderer, Helga Krüger, Carsten Schiefner, Dr. Jörg
Vorsitzender des Aufsichtsrats: Elmar Knipp
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht
Frankfurt am Main

  • [DENICpublic-l] Deployment of DNSSEC in the productive zone, DENIC Presse, 05/18/2011

Archive powered by MHonArc 2.6.19.

Top of Page