DITL 2009 Data: Query rates to TLDs with wildcards

Last week someone asked me if the DITL 2009 data could shed any light on the amount of queries sent to TLDs with wildcards. While we do have data from a few TLD operators, it wouldn't really help to answer this question. However, I think we can get a "first-order approximation" by looking at the queries to root nameservers. Note that by looking at queries to the roots, we have no knowledge of client queries that are cache hits and those that are sent to the TLD nameservers due to cached referrals.

Signed Root Zone Rollout and Schedule Announced

Here at the RIPE 59 meeting in Lisbon, Joe Abley from ICANN and Matt Larson from VeriSign announced a plan and schedule for signing the Root Zone. A number of interesting tidbits:
  1. The root zone will technically be signed by December 1, 2009 although ICANN and VeriSign will keep it to themselves for internal testing.
  2. Between January and July 2010, the root servers will begin serving the signed zone one "letter" (server) at a time.
  3. Also during this rollout period, actual DNSSEC keys will be replaced with "dummy" keys so that validation CANNOT occur.

.ORG now signed with DNSSEC

Today PIR and Afilias jointly announced that the .ORG zone is now signed with DNSSEC. Like .GOV, .ORG is also using the NSEC3 algorithm, which means that versions of BIND prior to 9.6.0 will have problems securely resolving names under .ORG. As Ram Mohan of Afilias noted in his message to the dnssec-deployment list, there are still significant hurdles in getting the actual registrations signed. Not many registrars accept DS records from customers yet.