We are in the process of deploying DNSSEC, the DNS Security Extensions, on the Debian zones. This means properly configured resolvers will be able to verify the authenticity of information they receive from the domain name system.
The plan is to introduce DNSSEC in several steps so that we can react to issues that arise without breaking everything at once.
We will start with serving signed
debian.com zones. Assuming nobody complains loudly enough
the various reverse zones and finally the
debian.org zone will
follow. Once all our zones are signed we will publish our trust anchors
in ISC's DLV Registry, again in
The various child zones that are handled differently from our normal
will follow at a later date.
We are using bind 9.6 for NSEC3 support and our fork of RIPE's DNSSEC Key Management Tools for managing our keys because we believe that it integrates nicely with our existing DNS helper scripts, at least until something better becomes available.
We will use NSEC3RSASHA1 with key sizes of 1536 bits for the KSK and 1152 bits for the ZSK. Signature validity period will most likely be four weeks, with a one week signature publication period (cf. RFC4641: DNSSEC Operational Practices).
Zone keys rollovers will happen regularly and will not be announced in any specific way. Key signing key rollovers will probably be announced on the debian-infrastructure-announce list until such time that our zones are reachable from a signed root. KSK rollovers for our own child zones (www.d.o et al.), once signed, will not be announced because we can just put proper DS records in the respective parent zone.
Until we announce the first set of trust anchors on the mailinglist the keysets present in DNS should be considered experimental. They can be changed at any time, without observing standard rollover practices.
Please direct questions or comments to either the debian-admin or, if you want a more public forum, the debian-project list at lists.debian.org.
-- Peter Palfrader