Your IP address is

AFRINIC DNSSEC Deployment plan

Once the testing phase is completed, AFRINIC will integrate the Signer into the provisioning system in 3 phases. In this phase, the provisioning system continues to work as it is. When new zones are generated, copies of the distributed unsigned zones are passed to the signer to produce a signed zone.

The signed zone is checked and loaded on a public DNS server. All tests are conducted around the public DNS server. AFRINIC will evaluate here the operation of the signer and the updated provisioning system. (Phase 1)

With a successful previous stage, the next step will be to start publishing signed zones instead of unsigned zones. In this phase, the Reverse DNS provisioning system will start publishing signed zones with adequate notification and a rollback plan. Only zones produced by the signer are distributed to the NS servers. (Phase 2)

With the publishing of signed zones completed, AFRINIC RDNS zones are not yet DNSSEC secured. DS records of KSKs have to be published in the parent zones. DS records will be generated and sent to IANA through their RDNS management system. (Phase 3)

The provisioning will be configured to process DS records for sub-domains. The signer and the zones publication are not modified.

With a full DNSSEC system tested and launched with measures in place to operate as per the DPS, the project will move to the normal AFRINIC operations. Monitoring and performance measurement will be constant activities.

Testing phase


  1. Install the tools (Opendnssec, NSD, BIND, DSC, etc.)
  2. Generate keys for the zones
  3. KSK RSA 2048
  4. ZSK RSA 1024
  5. Get Unsigned zone into OpenDNSSEC and sign
  6. Publish the signed zones under the local DNS servers
  7. Query and analyse response sizes over UDP and TCP
  8. Validation using keys as trusted keys
  9. Test Keys rollover: ZSK and KSK
  10. Scheduled key rollovers and emergency key rollover
  11. Conclusions and lessons learnt

Phase 1

Unsigned zones published



  1. The new provisioning system: consistent signed zones generation
  2. Consistency check for zones content: non DNSSEC queries on both (unsigned and signed)
  3. DNSSEC queries to the signed zones
  4. Conclusions and lessons learnt

Phase 2

Signed zones published



  1. Zones transfer master/slaves consistency
  2. Non dnssec queries on all NS
  3. DNSsec queries on all NS
  4. Conclusions and lessons learnt

Rollback plan

Phase 3

DS publication in parent zones



  1. Query for the DS record on all and servers
  2. DNSSEC validation of signed RRs in AFRINIC signed zones with root key as trusted key
  3. Conclusions and lessons learnt

Rollback plan

Members DS records publication



  1. DS processing and DS RRs signing
  2. Chain of trust validation from root to child zone (with DS records published)
  3. Conclusions and lessons learnt