Now that the root zone has been officially signed, what happens with ISC’s DNSSEC Look-aside Validation Registry? The short answer is, it gets smaller, but does not go away, at least not today.
While having the root signed is a critically important step in the DNSSEC deployment effort, it is not the final step. It’s the one that enables a lot of other zones such as Top Level Domains (TLDs) to be signed usefully. It removes the need for many stop-gap measures like certain TARs, and the need for TLD entries in ISC’s DLV system.
However, not all TLDs are going to be signed immediately. Some TLDs have projected DNSSEC production dates of early 2011 and longer. Owners of domains under these TLDs will still find DLV to be a useful tool to publish their DNSSEC keys, and promote use of DNSSEC within their organizations.
Additionally, even though a TLD is signed and in the root zone does not mean you are able to add your records to it. Not all registrars are prepared to accept DNSSEC records for their users.
ISC’s plan for DLV over the next few weeks is to watch and see what happens with the TLD operators. If a specific TLD is inserted into the root zone and signed properly, we will remove that TLD from our database. This is consistent with ISC’s goal of using the proper DNSSEC hierarchy as the DNSSEC protocol intends.
We will not prevent users from adding their own zones under these TLDs, and will not remove any TLDs which were added directly by the TLD operators. This means all the owners zones who cannot otherwise publish their DNSSEC keys can continue to use DLV. We will not remove any zones from DLV which we did not enter ourselves, leaving users the option of publishing their key in DLV in addition to the parent during transition or for other purposes.
ISC will continue to encourage those adding zones to the DLV registry to use the intended parent-to-child path if at all possible.