Today was a big milestone in the deployment of DNSSEC on the Internet with the signing of the root zone. For system administrators of recursive caching name servers – or as they are colloquially known, resolvers – this is good news. For the first time ever, they can configure a trust anchor for the root zone in their resolver and start validating based on the actual DNS infrastructure instead of having to rely on interim solutions like DLV or ITAR.
We received a question about configuring this trust anchor earlier today: “how do I configure this in my server”. We are going to address this in two blog posts in the coming week, and will include a step-by-step guide on how to do this for both Unbound as well as for BIND.
One final note: even though the trust anchor for the root is available, this does not mean that you can cover the same level of validation as is now possible with DLV. This is due to the fact that islands of trust still exist (for instance in the form of signed .net or .com second level domains). We are therefore going to be using the root trust anchor and DLV in parallel for some time.
UPDATE: Wolfgang Nagele has written a mini HOWTO on using the root trust anchor, you can find that here.