Status

	auth-fra.dnssec.denic.de. 81.91.161.228  2A02:568:0:1::53
	auth-ams.dnssec.denic.de. 87.233.175.25

will answer DNS queries including DNSSEC data as authoritative and non-recursive name servers.

3. You will find instructions how to redirect queries for the .de domains for diverse resolvers in separate configuration examples.

4. As regards validating resolvers, the set-up now allows that the Trust Anchor is configured for the .de testbed. The Trust Anchor is a copy of the public section of the Key Signing Key that is communicated to the resolver as the Trusted Key. This Trust Anchor or Secure Entry Point is published on an https-secured Webpage.

de.             86400   IN      DNSKEY  257 3 8 (
AwEAAZ1FqQED8QBrk3Jk4q96lggh4uiwlbdbZ0posfIgcaJJqfTNBfEhn6PEPqqRP
73libD55vujfYzKMN0fVd34wrdOpSTpMbw+oqQpJyecfGVYH1fnqws23n5QE03/
7SN98O8Cm+HBpB66JurTHWD3f4es8IUoumb/SXY44qb+oqWfmM3wS8aQVA5
d2gHpKrRIPlDHA/MB3FHGL64VpfV8KJ76kp1RBthR7Y0qalTskOouVeCOEa7gUiIl
jt1kTf64HFGsRi11klpCHBjtTiTg7MFN25nASuhbyTmWlRxPyg79BK7EDQ+tAe09N
YkS1P7tOe8ola9IpQHTWO6ttTmSnyE= )

This Key Signing Key will remain valid until revoked. Any scheduled key changes will be announced with due notice.

5. In addition to the 2048bit Key Signing Key, a 1024bit Zone Signing Key will be used, which will be rolled over every five weeks. Both keys generate signatures in accordance with the standardized RSA/SHA256 procedure as specified in RFC5702.

6. The .de zone is signed with opt-out, using NSEC3 records according to RFC5155.

We have compiled information and examples regarding the Resolver Configurations for all participants of the testbed.

The Detailed Road Map will give you an idea of the scheduled actions and dates.