DNSPod about the CANN massive deployment of DNSSEC

according to DNSPOD’s observation, ICANN has successfully deployed the DNSSEC to 13 root DNS servers. The deployment of the tension, the unexpected, ICANN does not have enough prior notice, perhaps the reason behind there will be more deep. It is understood that before 2003, the production of network equipment, there are many do not support DNSSEC, which means that a large number of operators need to upgrade their network equipment. For too late to upgrade the network equipment operators, users may not cause them to resolve a domain name, or even because it can not resolve the domain name caused by some small DNS request storm. So in the next few days, there may be some areas of the user’s DNS is not normal, often parsing fails, and even unable to resolve. But this situation will gradually solve the problem as operators upgrade their devices.

DNSPOD in order to deal with the incident, increased support for DNSSEC, but this does not mean that the user will not appear in the case of DNSPOD parsing failure. Because even if the DNSPOD parsing is normal, it is also possible that the operator does not support the DNSSEC device because of the failure analysis. So the problem ultimately depends on operators to solve.

according to the schedule of ICANN, the large-scale deployment of on-line DNSSEC support, the use of encrypted KEY is only used to test, can not be used as a validation of the legitimacy of the DNSSEC. In other words, we are all mice. Can be used to encrypt the KEY, will be deployed in July on-line.

although the deployment of DNSSEC on the line, but there is still a long way from the domain hijacking hijacking. Because the official KEY on the line, the domain name owners need to generate their own domain name KEY, and go to the DNS server above the deployment, the domain name is not the owner of such a complex thing. But in the future DNSPOD may help you get these things done.

attached: ICANN DNSSEC deployment schedule

cited content:

December 1, 2009: Root signed internal use VeriSign ICANN. ICANN and VeriSign interaction protocols for signing the exercise ZSK with the for zone KSK.


January, 2010: The root begins serving signed in the form of the DURZ (delibera>) server the (first)