[dnssec-coord] Thoughts on when to designate a newgTLD as "Operational" in DNSSEC deployment maps?

Steve Crocker steve at shinkuro.com
Fri Apr 25 05:32:50 PDT 2014


This is a wonderful example, in at least two ways, of the difference between theory and practice.  Or perhaps trust but verify. Or both.

Yes, in theory once a new gTLD goes into operation, it should have DNSSEC fully operational.  DS-in-the-root is observable but whether they are accepting registrations is not.  I made a practice of asking each operator, but that's labor intensive and I think Dan would like an automated method of checking.

We don't currently know whether the ICANN staff checks for full implementation of DNSSEC before they authorize delegation.  We could ask what their actual procedure is.


Sent from my iPhone

> On Apr 25, 2014, at 7:20 AM, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:
>> On 15-04-14 22:05, Dan York wrote:
>> I have a question upon which I'd love your advice/feedback.  In the
>> DNSSEC Deployment Maps[1] that we distribute weekly we do include the
>> current status of all the newgTLDs.
>> So far I have just
>> indicated when they have a "DS in Root"
>> The question is how to know when to move them to "Operational" status
>> meaning that they are accepting signed delegations from
>> registrars/registrants.
> Let me see if I get this right...
> DNSSEC is an ICANN requirement for new gTLD's, correct?
> The applicant guidebook, specification 6, section 1.3 states:
> "Registry Operator shall accept public-key material from child domain
> names in a secure manner according to industry best practices."
> How can a new gTLD become operational without DNSSEC being operational
> at the same time?
> Regards,
> -- 
> Marco
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord

More information about the dnssec-coord mailing list