Here at the RIPE 59 meeting in Lisbon, Joe Abley from ICANN and Matt Larson from VeriSign announced a plan and schedule for signing the Root Zone. A number of interesting tidbits:
  1. The root zone will technically be signed by December 1, 2009 although ICANN and VeriSign will keep it to themselves for internal testing.
  2. Between January and July 2010, the root servers will begin serving the signed zone one "letter" (server) at a time.
  3. Also during this rollout period, actual DNSSEC keys will be replaced with "dummy" keys so that validation CANNOT occur. In other words, the public components of the signing keys will not be published, which makes it impossible to configure a trust anchor for the root zone.
  4. During the rollout period, the traffic on both signed and unsigned roots will be monitored for impacts and effects.
  5. By July 1, 2010 the KSK will be rolled and published to achieve a fully signed root zone.
The RIPE presentation contains additional details such as key sizes, algorithms and rolling intervals.