DNSSEC Updates

06/04/2016

Following an extended period of testing DNSSEC for the .IL top level domain, Israel Internet Association (ISOC-IL) is moving back to unsigned .IL zonefile, prior to the official signing of the IL zone.

Starting from 18th of April (2016) the .IL nameservers will be serving an unsigned .IL zonefile. Please make sure your DNS servers do not have the test DNSSEC keys set manually as trusted keys. This will only be the case if you have manually configured your DNS servers to use the test keys as trusted keys.

Important: Using the test keys as trusted keys once the .IL TLD zone is officially signed will make your DNS servers fail to validate responses for the .IL zone, resulting in resolution failure. Once officially signed, there would be no need to set trusted keys for the .IL zone manually.

If you have any questions, feel free to contact us by e-mail at dnssec-implementation@isoc.org.il.

Further announcement regarding the date of the official DNSSEC signing of the .IL TLD zone will be posted at https://www.isoc.org.il.

Previous announcements

2015

Israel Internet Association (ISOC-IL) is starting a process of implementing DNSSEC for the .IL top level domain and the secondary level domains AC.IL, CO.IL, NET.IL, ORG.IL, K12.IL and MUNI.IL.

As a first step, on May 18 2015, the .IL domain will be DNSSEC signed, but validation will not be forced by including a trust anchor at the parent domain (the root zone). DNSSEC aware resolvers with validation enabled (pay attention: DNS resolvers running a recent versions have validation enabled by default) will receive signature with the query response, though these signatures will not be validated by the resolver. The query responses will get bigger and can be blocked at network infrastructure running older firmware or firewalls configured to block DNS UDP packets bigger than 512 bytes. To learn more and to test your DNS resolver and infrastructure visit the following link:

https://www.dns-oarc.net/oarc/services/replysizetest.

Important: The keys used for the signing of the .IL domain are only used for the purpose of this test and will be replaced as soon as the test period is over. Do not use these keys as a trust anchor at your resolvers. Once replaced this will leave you with unresolvable .IL domain.

If you encounter any problems, feel free to contact us by e-mail at dnssec-implementation@isoc.org.il.

Status updates will be posted at https://www.isoc.org.il.