Re: [dssa] questions about provisioning and DNSSEC for the Root and IANA zones

[Matt Larson <mlarson@xxxxxxxxxxxx>]

Hi, Mike, everyone.

On Thu, 26 Jan 2012, Mike O'Connor wrote:
> 
> hi all (but most especially you people who know how the root and IANA zones 
> work),
> 
> i am wondering if somebody could fill the rest of us in on a couple 
> architecture-level questions.  we took a stab at these on the call today but 
> didn't have the right folks on the call to feel like we knew what we were 
> doing.  here are the questions;
> 
> Root zone -- are there automated provisioning systems for the root
> zone (a parallel to the registry/registrar provisioning systems
> found at the TLD level)?

Yes, there is an automated provisioning system for the root zone.
There is not much public documentation about the system, but some
information about ICANN's portion is available here:

http://www.iana.org/domains/root/online-system

For the description below, please note that the IANA functions
contractor holder is currently ICANN.  The Root Zone Maintainer is
currently Verisign.

At a high level, the process for making changes to the root zone is:

1. TLD manager sends request to ICANN via web interface (new) or email
(legacy).

2. After various checks, ICANN sends request to Verisign's dedicated
root zone registry system using EPP.

3. After being notified of a pending request, DoC NTIA authorizes the
change via a web interface.

4. After various checks, Verisign executes the change in the root zone
database.

5. Twice per day, Verisign generates a new root zone, signs it, and
makes it available to all the root servers via dedicated stealth
master servers, which reside in multiple physical locations.

6. All the root servers use standard DNS zone transfer to retrieve the
new root zone. 

PLEASE NOTE WELL: I have simplified a complicated process with many
actors and levels of technical checks and balances into six steps for
this email.  Please DO NOT use the text above verbatim in any public
communication.  If you have more specific questions about the process,
I'd be happy to answer them to make sure the process is communicated
correctly.  Depending on the question, I would need to defer to ICANN,
probably Kim Davies.

> do those provisioning systems differ between the various root zone
> operators?

I'm not quite sure what you mean here, but hopefully I addressed it
above: all 12 root operators (including Verisign) retrieve the root
zone from the same distribution master servers.

> IANA zone -- is there an automated provisioning system for this
> zone?  is there DNSSEC on this zone?

Are you referring to the iana.org zone?  I see that it is signed, but
I know nothing of its administration: that's handled by ICANN's DNS
group.

Matt