--- /dev/null
+[[!meta author="Peter Palfrader"]]
+
+We are in the process of deploying
+[DNSSEC](http://www.dnssec.net/),
+the DNS Security Extensions, on the Debian zones. This means properly
+configured resolvers will be able to verify the authenticity of information
+they receive from the domain name system.
+
+The plan is to introduce DNSSEC in several steps so that we can react
+to issues that arise without breaking everything at once.
+
+We will start with serving signed <code>debian.net</code> and
+<code>debian.com</code> zones. Assuming nobody complains loudly enough
+the various reverse zones and finally the <code>debian.org</code> will
+follow. Once all our zones are signed we will publish our trust anchors
+in [ISC's DLV Registry](https://www.isc.org/solutions/dlv), again in
+stages.
+
+The various child zones that are handled differently from our normal
+DNS infrastructure
+(<code>mirror.debian.net</code>,
+<code>alioth</code>,
+<code>bugs</code>,
+<code>ftp</code>,
+<code>packages</code>,
+<code>security</code>,
+<code>volatile</code>,
+<code>www</code>)
+will follow at a later date.
+
+We are using bind 9.6 for [NSEC3](http://www.nsec3.org/) support and
+[our](http://db.debian.org/git/Net-DNS-SEC-Maint-Key.git/)
+[fork](http://db.debian.org/git/Net-DNS-SEC-Maint-Zone.git/)
+of RIPE's
+[DNSSEC Key Management Tools](http://www.ripe.net/disi/dnssec_maint_tool/)
+for managing our keys because we believe that it integrates nicely
+with our
+[existing DNS helper scripts](http://git.debian.org/?p=mirror/dns-helpers.git),
+at least until something better becomes available.
+
+We will use NSEC3RSASHA1 with key sizes of 1536 bits for the KSK and
+1152 bits for the ZSK. Signature validity period will most likely be
+four weeks, with a one week signature publication period
+(cf. [RFC4641: DNSSEC Operational
+Practices](http://www.ietf.org/rfc/rfc4641.txt)).
+
+Zone keys rollovers will happen regularly and will not be announced in
+any specific way. Key signing key rollovers will probably be announced
+on the
+[debian-infrastructure-announce](http://lists.debian.org/debian-infrastructure-announce/)
+list until such time that our zones are reachable from a
+[signed root](http://www.root-dnssec.org/). KSK rollovers for our own
+child zones (www.d.o et al), once signed, will not be announced because
+we can just put proper
+[DS records](http://en.wikipedia.org/wiki/List_of_DNS_record_types#DS)
+in the respective parent zone.
+
+See also:
+
+* [DNSSEC wikipedia page](http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions),
+* [DNSSEC HOWTO, a tutorial in disguise (Olaf Kolkman, nlnetlabs)](http://www.nlnetlabs.nl/publications/dnssec_howto/index.html).
+
+Please direct questions or comments to either the debian-admin or, if
+you want a more public forum, the debian-project list at
+lists.debian.org.
projects / mirror / dsa-wiki.git / commitdiff