All root servers now offering DNSSEC

Verisign’s J root server was switched over to DNSSEC yesterday bringing the entire authoritative DNS system onto the new security platform. Alhough all the root servers are serving a signed version of the root zone, these are not yet able to be validated as the public key has not yet been disclosed. This allows the root servers to return to a non-DNSSEC state should there be any problems.

At the moment, only 2 sites in the US are responsible for key-generation, with another being discussed –  Sweden, the first country to do TLD-level signing and a site for one of the root servers, is a likely candidate.