Here at the RIPE 59 meeting in Lisbon, Joe Abley from ICANN and Matt Larson from VeriSign announced a plan and schedule for signing the Root Zone. A number of interesting tidbits:

1. The root zone will technically be signed by December 1, 2009 although ICANN and VeriSign will keep it to themselves for internal testing.
2. Between January and July 2010, the root servers will begin serving the signed zone one "letter" (server) at a time.
3. Also during this rollout period, actual DNSSEC keys will be replaced with "dummy" keys so that validation CANNOT occur.

Earlier this year, ICANN contracted with DNS-OARC to study the impacts of potential changes facing the DNS root zone. These changes include: (1) a significant increase in the number of gTLDs, (2) signing the zone with DNSSEC, and (3) continued increase in IPv6 glue.

I was recently asked if OARC had any data on the percentage of DNS queries with bad or disabled UDP checksums.

Over on the IETF namedroppers mailing list there is a discussion about DNSSEC and UDP fragmentation. See this thread, for example. Since the OARC Reply Size Test has been going for a couple of months now, I thought maybe it would have enough data for a decent analysis.

A couple weeks ago I gave a lightning talk at NANOG46 titled DNSSEC, EDNS and TCP using data from before and after the .ORG zone became signed.

Today PIR and Afilias jointly announced that the .ORG zone is now signed with DNSSEC. Like .GOV, .ORG is also using the NSEC3 algorithm, which means that versions of BIND prior to 9.6.0 will have problems securely resolving names under .ORG. As Ram Mohan of Afilias noted in his message to the dnssec-deployment list, there are still significant hurdles in getting the actual registrations signed. Not many registrars accept DS records from customers yet.

A Day in the Life of the Internet is a large-scale data collection project undertaken by CAIDA and OARC every year since 2006. This year, the DITL collection will take place in late March took place March 30-April 1, 2009. If you would like to participate by collecting and contributing DNS packet captures, please subscribe to the DITL mailing list.

Participation Requirements

There are no strict participation requirements.

ICANN announced the IANA Interim Trust Anchor Repository as a not-quite-yet-production service today. The ITAR is useful to people running validating resolvers until the root zone gets signed. It currently includes trust anchors for three ccTLDs (BR, CZ, SE) and the eleven experimental IDN TLDs operated by ICANN. IANA's policy is to only publish DS records in the ITAR. BIND users won't be able to import the ITAR anchors file directly since BIND currently takes only DNSKEY's as trust anchors.

OARC is coordinating collection of DNS packet captures to assist researchers and security groups increase our understanding of some recent DDoS attacks (against ISPrime in particular). We'd like your help. You can help out by running the following shell script on nameservers that are receiving spoofed queries:

#!/bin/sh
#
# tcpdump-to-oarc.sh
#
# This script captures DNS packets related to an ongoing
# DDoS attack and uploads them to DNS-OARC.  Current
# version can be found at https://www.dns-oarc.net/node/171

# You can set FROM to whatever you like.