.com/.net DNSSEC operational message

VeriSign is in the process of deploying DNSSEC in the .net and .com
zones. This message contains operational information related to the
.net DNSSEC deployment that might be of interest to the Internet
operational community.

The .net DNSSEC deployment is underway.

On September 25, 2010, the .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under

On October 29, 2010, a deliberately unvalidatable .net zone began to
be published. (This zone was a signed version of the .net zone with
the key material deliberately obscured so that it could not be used
for validation.)

VeriSign recently began incrementally "unblinding" the .net zone: one
at a time, each authoritative server for .net was changed from serving
the unvalidatable .net zone to the signed .net zone with the official
keys unobscured.

As of approximately 2100 UTC on December 7, all authoritative servers
for .net were serving the signed .net zone with the actual, unobscured
production keys.

The final step in DNSSEC deployment in .net will be publishing its DS
record in the root zone, which is currently scheduled for December 9,

If you have any questions or comments, please send email to
info@verisign-grs.com or reply to this message.