Welcome to ICANN DNS Operations Website
DNS Operations team is responsible for the operations of L-ROOT , one of the thirteen root name servers, DNSSEC Infrastructure for ICANN Managed domains and TLD's, DNSSEC Signing of the ROOT (KSK Portion) , and ccTLD housing.
:: Operational Advisory ::
As part of the root DNSSEC deployment project, ICANN and VeriSign are participating in a staged roll-out of a deliberately unvalidatable root zone (DURZ), which is a signed root zone with the actual keys replaced with obviously invalid ones. L-root, operated by ICANN, was the first root server to begin serving the DURZ on January 27, 2010.
On February 8, VeriSign upgraded a component of the system that signs, validates and publishes the signed root zone. As part of the upgrade process, a configuration issue caused the signed root without the invalidated keys to be sent to VeriSign's distribution master servers instead of the DURZ. L-root published root zone serial number 20100900, the first zone without invalidated keys, at approximately 0825 UTC on February 9. The publication of this version of the signed root was brought to VeriSign's and ICANN's attention at approximately 1425 UTC on February 10. VeriSign addressed the configuration issue and made root zone serial 20101001 available. L-root published this root zone (once again the DURZ with keys invalidated) at approximately 1640 UTC on February 10.
VeriSign has taken steps to ensure that this situation does not occur again: the root zone is verified to have invalid keys immediately prior to publication to the distribution masters. ICANN has begun monitoring the version of root zone (unsigned, signed or DURZ) present at all distribution servers and all root servers and alerting ICANN DNS operational staff whenever there is a change.
It is important to note that the temporary publication of the root zone without invalid keys did not affect DNS resolution using the root zone in any way. The temporarily visible keys should not be configured as trust anchors: validation would fail because the DURZ is now back in place. The keys should also not be retained because they will be changed, as previously planned, before before the root zone becomes validatable as tentatively planned on July 1, 2010.
Please direct any questions or concerns to the root DNSSEC design team's feedback mailing list, rootsign@icann.org
More information about the root DNSSEC deployment is available at the project web site, http://www.root-dnssec.org
On behalf of the root DNSSEC design team,
Brad Verd, Director, Operations, Global Infrastructure Services, VeriSign
Joe Abley, Director, DNS Operations, ICANN
|
| |
:: Current Maintenance & Outages ::
All Systems are operating normal 
|
:: Past Maintenance & Outages ::
|
|
|
|
|
Public Affect |
Additional Info |
20100227 |
2100-2330 |
L-Root |
MIA |
Yes |
Router Software Upgrade |
20100131 |
1000-2100 |
L-Root |
LAX , PRG |
Yes |
IPv6 Service interruption |
|
|
|
|
|
|
© 2010 The Internet Corporation For Assigned Names and Numbers
|
|
|
|
|
News |
20100127: L-ROOT Starts to serve DURZ.
|
20091212: DNS Ops East Coast network is now live.
20091029: DNS Ops West Coast network renumbered.
|
20091015: L-Root Global Node goes live in Prague, CZ.
|
20090821: L-Root upgrades
NOTA connection to 10Gbps
|
20090801: L-Root upgrades Equinix LAX exchange connection to 10Gbps
|
| |
Contact |
|
|
|
