DNSSEC Deployment in ARPA Children


ICANN plans to begin a test deployment of DNSSEC in various zones starting on 2010-04-29:


These zones will be signed using RSASHA256 and NSEC with 2048-bit KSKs and 1024-bit ZSKs.

Given DNSSEC deployment experience to date, ICANN does not expect the signing of these zones to cause any operational problems. However, should you have any concerns please feel free to contact us at ticket@dns.icann.org or phone +1 310 301 5810 (e-mail/ticket preferred).

At the end of the test period, given no observed or reported harmful effects, ICANN will arrange for trust anchors for these zones to be included in ARPA as DS RRSets and will invite the five RIRs to submit DS RRSet add/delete requests in IP6.ARPA when they are ready. We anticipate the testing period to last at least two weeks.


Joe Abley
Director DNS Operations, ICANN

The maintenance is complete, all of the zones are now DNSSEC signed.

We expect to include trust anchors for these zones following a testing period of around two weeks, given no observed or reported harmful effects.

If you observe any issues, or have any concerns please let us know at <ticket@dns.icann.org>.

Kind regards,

Dave Knight
Senior DNS Engineer, ICANN