[dnssec-coord] Thoughts on when to designate a newgTLD as "Operational" in DNSSEC deployment maps?

Dan York york at isoc.org
Mon Apr 28 09:56:49 PDT 2014

Marco and Steve,

On Apr 25, 2014, at 8:32 AM, Steve Crocker <steve at shinkuro.com<mailto:steve at shinkuro.com>> wrote:

Yes, in theory once a new gTLD goes into operation, it should have DNSSEC fully operational.

Yes, exactly.

DS-in-the-root is observable but whether they are accepting registrations is not.  I made a practice of asking each operator, but that's labor intensive and I think Dan would like an automated method of checking.

Exactly.  If you look at a site such as  https://rick.eng.br/dnssecstat/  there were 25 newgTLDs that entered the  "DS in Root" state just last week... and that's a fairly normal kind of week.

Adding a bit more complexity is the fact that each of the newgTLDs have their own schedule for when they are going to be "Generally Available" depending upon how many other steps (Sunrise, Landrush, EAP, etc.) the newgTLD operator is going to undertake.  There *are* sites tracking this schedule, such as:


but even that doesn't really tell me when a domain is "Operational" in our terms.  I mean, it's conceivable that a domain in the Sunrise period could be "operational" in that they are accepting DS records from registrants.

I can look at http://ntldstats.com/tld to see how many signed domains a newgTLD has... but what number do I choose to indicate "operational"?  I had been thinking that only seeing "1" was probably just a test domain and was not necessarily an indicator of operational status.  However, last week I went and registered a newgtld just for some testing.  When I looked on ntldstats.com<http://ntldstats.com>, the particular newgtld had "0" signed domains... so not even any test or NIC domains.   I of course signed my new domain and when I looked the next day on ntldstats.com<http://ntldstats.com> the count now said "1".   So that particular newgtld *is* fully "Operational" because I know for a fact that it works... even if it shows that only 1 domain has a DS record in that TLD.

I just don't personally have the cycles to spend on tracking down all of this for each of the various newgTLDs coming out....  nor do I want to go around registering test domains in the newgTLDs... so yes, I'm looking for some automated way to help with this.  :-)

We don't currently know whether the ICANN staff checks for full implementation of DNSSEC before they authorize delegation.  We could ask what their actual procedure is.

Interesting point.  We know they check that the newgTLD is signed, etc., but you're right that we don't know if they check whether the newgTLD is ready to accept DS records from registrants.  Would be good to ask.


Dan York
Senior Content Strategist, Internet Society
york at isoc.org<mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org<mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20140428/a84b272d/attachment.html>

More information about the dnssec-coord mailing list