[Dnssec-deployment] dnssec deployment for ccTLD
york at isoc.org
Tue May 8 09:59:05 EDT 2012
In addition to all the excellent references Phil just mentioned, you may want to look at the detailed DNSSEC deployment document from SURFnet:
We also have a range of DNSSEC tutorials and resources at Deploy360:
The DNSSEC HOWTO from NLNet Labs may be of use to you:
And the Internet2 DNSSEC SIG also has a page up listing many resources:
On your specific request about a step-by-step tutorial for a ccTLD, that's one of the documents I've identified that I'd like to see us add to the tutorials at Deploy360. If you are interested in being part of creating such a tutorial, I'd be interested to work with you as you move through the process to document the steps you are taking. Please drop me an email directly if you are interested.
As Phil noted, one way to learn may be to look at what other TLDs many of them have posted "DNSSEC Policy & Practice Statements" (DPS). The folks at .SE have one up at:
and the .NL DPS is at:
Many others can be found out there.
P.S. If anyone else is aware of a specific step-by-step tutorial for a TLD, I, too, would love to hear about it.
Senior Content Strategist, Internet Society
york at isoc.org +1-802-735-1624
Jabber: york at jabber.isoc.org
Skype: danyork http://twitter.com/danyork
On May 8, 2012, at 6:09 AM, Phil Regnauld wrote:
> shidiq (shidiq) writes:
>> Hi All,
>> where i can get information (step by step, requirements etc) from
>> deployment dnssec for ccTLD.
> Hello Shidiq,
> Would you have more details about what you're trying to achieve ? There
> are a few aspects to consider.
> Signing the zone for a ccTLD is no different technically from
> signing any other top-level zone, or any DNS zone for that matter.
> It will differ mainly in the type of data you are signing: top level
> and ccTLD zones typically contain many NS records (so called delegation
> centric zones) and very little "data" to speak off (A, CNAME, MX, ...).
> Also, as a ccTLD or top level zone, delegation holders must be able
> to submit Delegation Signer records (hashes of their public key signing
> keys) for inclusion into the zone.
> There are several good guides out there to getting started with DNSSEC:
> ... and (plug!) you may want to check out the recent DNS/DNSSEC deployment
> workshop we (NSRC) ran at MENOG 10 in Dubai last month.
> This includes guides for signing with both BIND and OpenDNSSEC, and
> some rather useful presentations by Rick Lamb from ICANN on key
> management and ceremonies.
> Also, the FCC has recently published a DNSSEC deployment guide for
> Requirements vary, but it also depends on what your policy is. You may
> want to start looking at what other countries such as .NZ have been doing
> Don't hesitate to write back here, as I'm sure the awesome folks on this list
> can help you with your questions!
> Phil Regnauld
> Network Startup Resource Center
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dnssec-deployment