1) In June 2005, all DNS name servers for the .SE domain will be ready to handle signed DNS zones to support DNSSEC. 2) In September 2005, the .SE domain zone will be signed for the first time, initially without including DNSSEC key fingerprints in the zone. 3) By mid-October 2005, DNSSEC key fingerprints will be added to the signed .SE zone and the keys will be published to validate the signature.

1. DNSSEC in .SE Patrik Wallström, pawal@nic.se

2. Preliminary timeline 2005 2006 NOT secure Slaves DNSSEC ready Signed Zone 1 June 1 Sep 15 Oct Keys in the Zone TBA New Registry 2003 – Signed stable parallel .SE-zone for testing

3. Workshop 6 th April 2005 Workshop arranged by NIC-SE and the Swedish PTS, Post and Telecom Authority Full day introduction and hands-on tutorial Participants from registrars, ISP:s, banks, government agencies and large media companies

4. Slaves DNSSEC ready All slaves for .SE will be ready for DNSSEC 1 st June Slaves are using ISC BIND and NSD Is the software stable on their machines? Slaves are trying out the signed zone on other machines with the same configuration Slaves have better knowledge of DNSSEC when ready

5. Signed Zone .SE will be signed 1 st september At first, no fingerprints in the zone To be decided upon, new mechanism for signing the zone

6. Keys in the Zone Evaluation of signed zone 14 th October DS records in the zone 15 th October The 15 th is Point of No Return 31 th October, key exchange for the “public” with Keyman, a prototype registry function Publishing the public key

7. Keyman Keyman is a prototype DNSSEC child key manager – until new EPP registry is in place Store active keys in a database Fetch new keys via DNS User selects active keyset DS records generated from database

8. New Registry Todays registry model in .SE is “confused” No clear relation between registrar and registrant Larger registrars are slowly making the confused model into a more structured Registry – Registrar model New registry will be EPP based, and have a clean Registry – Registrar relationship Old registry will be “yet another registrar”

9. New Registry 2 Registrars will handle DNSSEC through EPP Requirements for DNSSEC? (Probably some extra paragraphs in the registrar agreement) Authentication of registrants?

10. Thank you Questions? Patrik Wallström, pawal@nic.se