Over the last few months much has been made of the digitally signing the root as a critical step in widely deploying DNSSEC. At our May Symposium on Internet Governance and Security, one panelist wondered aloud if ICANN/IANA would ever sign the root like they agreed to do in 2006. Similarly, RIPE's recent letter urged ICANN/IANA publicly to act, lest RIPE go ahead and create its own trust anchor repository as one large European ISP suggested. And finally, the FIPS requirement to deploy DNSSEC technology within medium and high impact federal IT systems is bearing down, with the effort taking on a new sense of urgency with the launch of the NIST/SPARTA/DHS SNIP testbed early this month.
Well, it now seems that some of the pressure has started to work. At the informal IEPG gathering prior to the 69th IETF being held in Chicago this week, an IANA representative explained some technical specs and operational details behind its recent deployment of a DNSSEC testbed that includes a signed root zone.