New DNSSEC Signing Facilities Live at ICANN

ICANN logoICANN’s commitment to the deployment of Domain Name System Security Extensions (DNSSEC) continues with the launch of the Generic Signing Infrastructure (GSI).

After several months of testing the operational aspects of the GSI, ICANN engineers executed the maintenance procedure to publish a signed ICANN.ORG domain on March 11, 2010 at 0400 UTC.

The GSI has been designed as a high-security, high-availability service suitable for use in managing the DNS zones that ICANN maintains. Built around the community-driven “OpenDNSSEC” project, the GSI includes the use of “FIPS 140-2 level 4” validated Hardware Security Modules (HSMs) with signing hardware protected within “class 5 GSA-rated” safes. These certifications are defined by the US Government to specify some of the highest levels of operational and physical security generally available.

The GSI is split between two locations, one on each coast of the USA, with either site available to perform signing operations in the event that other site is unavailable.

Once reliable production service with the ICANN.ORG domain has been confirmed, the GSI will be available to sign the other zones ICANN maintains such as IN-ADDR.ARPA and IP6.ARPA.

To read a presentation on OpenDNSSEC from ICANN’s 2009 Sydney meeting, go here: syd.icann.org/files/meetings/sydney2009/presentation-open-dnssec-22jun09-en.pdf

To read the transcripts and presentations from a session on DNSSEC at the Nairobi International Meeting on March 10, 2010, go here: nbo.icann.org/node/8924.

This ICANN news release was sourced from:
icann.org/en/news/releases/release-17mar10-en.pdf