Deliberately Invalidatable Root Zone

A few days ago we saw something that has not happened before. One of the root-servers of the Internet was DNSSEC-enabled, signed, secured.. or was it? No, it was not really secured was it? Nope! BUT! The DNSSEC-enabled part of it is true, or at least a little bit of it.

One of the root-server instances, the L-root , had it’s copy of the root-zone signed. However, for now, the public key distributed is obviously broken and unusable (thanks Patrik!).

I for one think the DNSKEY record is cute!

IN  DNSKEY  257  3  8 (
AwEAAa8Zp+++++THIS/IS/IN/AN/INVALID/
KEY/AND/CANNOT/BE/USED/FOR/VALIDATIO
N/PLEASE/CONTACT/ROOTSIGN/AT/ICANN/D
OT/ORG/FOR/MORE/INFORMATION+++++++++
++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++8=
);

The “system” is called DURZ (Deliberately Invalidatable Root Zone) and the plan is to put it to use in all of the the root-server instances before moving on in the implementation of DNSSEC for the root-zone.

Why? Well, first and foremost DURZ is for testing purposes. While the signed root-zone is still not considered as “in production” it will prohibit the use of the root-zone as a trust anchor for validation. During this period of time testing will f.ex. give measures of how the signed root-zone (larger response size etc) affects whoever uses it.

The implementation of DURZ will span all of the root-server instances and is planned to be done in May this year. A schedule has been posted on the Root DNSSEC site. Do I think they will stick to it? Why of course not.. How fun would that be?

M: 2010-03-03 0400-0600
I: 2010-03-03 1500-1800
D: 2010-03-24 1400-1500
K: 2010-03-24 1500-1700
E: 2010-03-24 1800-2000
H: 2010-04-14 1400-1500
C: 2010-04-14 1500-1700
G: 2010-04-14 1700-1900
B: 2010-04-14 1900-2100
F: 2010-04-14 2100-0000
J: 2010-05-05 1700-1900

All times are in UTC.

When all the root-servers are serving the DURZ I expect that a period of statistics and measurements will commence, the goal being to pinpoint any side effects from the fact that the root-zone is signed, bloated and well, lets just call it pregnant with what may be the savior of DNS.

This sounds like a great start for a fantasy novel but all that is just the means to an end..

The implementation of DNSSEC for the root-zone has been a hot potato for the last two or ten years. It has been predicted to be the deliverance of DNSSEC, the single event that puts all the pieces in place. Will it be? Well, I say we just wait and see.

If you want to know more about the implementation of DNSSEC in the root-zone, head over to Root DNSSEC!

Regards,

LG

New year, Fresh start!

So, we have a new year! This do happen once in while or so but this time it means more then usual. 2009 was a good year with lots of cool projects and quite a few big happenings for me. However, I think that 2010 will be ever more spectacular.

M O R E T O C O M E

Yesterday evening was spent with friends eating a nice dinner, playing some social games and talking about the year that had past. At the strike of twelve the usual pyromaniacs of the group (yes, Im guilty) went out to spend a few minutes burning half a pay check of fireworks into the sky while the rest enjoyed a sparkling wine.

These traditions seems to never change and I have thought about how important they really are. Last year I spent christmas on a sunny island and to be honest it was not the same when I think back. Not bad in any way but it felt like I had missed something. I will most likely travel during christmas on more occasions then one in the future but I think that I need to keep at least one year in between, at home, with the family just to keep the spirit intact.

Happy New Year!

Regards,

LG