A whole kaleidoscope of hot topics and questions all around the protocol extension DNSSEC and the persistent great interest of the Internet community made the third .de DNSSEC testbed meeting at the premises of DENIC another success.

With roughly 60 attendants from the Internet industry and Internet associations a diversified forum of users and providers of services and hard- and software tools supporting DNSSEC met in the offices of DENIC to be informed about the latest developments for combating DNS spoofing, cache poisoning and zone walking and to use the opportunity for networking.

By now, the test infrastructure set up by DENIC has achieved most of the milestones of its roadmap: Already at the beginning of March, the critical phase was entered with the initial publication of DS-Key records in the signed test version of the .de zone. Logically, also the focus of the accompanying four-meeting series is shifting more and more to practical aspects. Besides information about the current status of the testbed provided by the persons responsible for the project at DENIC, the central issues of the technical presentations of yesterday's second-to-last DNSSEC meeting thus were the experience made and progress achieved by the DNSSEC users of the most different fields of the IT environment.

Elementary aspects and administrative processes still posing big questions for numerous TLDs also were central topics of vivid discussions: the security of NSEC3 resource records, the handling of domains that cannot be validated in error-prone zones, and, last but not least, the requirements to be defined for an appropriate policy for provider and/or DNS-operator changes under DNSSEC – all of them factors which are highly relevant to the praxis with regard to the global launch of the cryptographic protocol extension.

For reasons such as those mentioned above DENIC deliberately calculated the testbed for the generous period of 18 months from the very beginning. The declared aim of the project is to thoroughly analyze any potential operative and administrative risk and to develop substantial procedures on this basis which can be used as best practices within the scope of DNSSEC. Only long-term experience – so the credo – will provide valid results of secured practical suitability prior to launching the protocol extension in the productive environment at the start of 2011.

On 24 November 2010, the fourth and last DNSSEC testbed meeting will take place to report about the additional experience made and progress achieved with the .de zone by then. DENIC would be happy to welcome a large number of new interested parties who actively participate by operating their own domain(s) in the provided testbed, in order to have as broad as possible a basis for the final assessment of the testbed under cost-benefit aspects. By integrating the testbed in the production environment DENIC deliberately created very user-friendly conditions that make it easy to decide in favour of active participation.

Detailed information about DENIC's latest DNSSEC testbed meeting and for all original papers, speaker profiles and live recordings of the presentations and discussions, are availlable online on the DENIC website.