VeriSign has shared its plans for deploying DNSSEC in the .net and .com operational community. Matt Larsen of VeriSign issued the following schedules today:

The .net DNSSEC deployment consists of the following major milestones:

September 25, 2010: The .net registry system was upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.net. These DS records will not be published in the .net zone until
the .net zone is actually signed. Each registrar will implement
support for DNSSEC on its own schedule, and some registrars might be
accepting DS records for .net domains now.

October 29, 2010: A deliberately unvalidatable .net zone will be
published. Following the successful use of this technique with the
root DNSSEC deployment, VeriSign will publish a signed .net zone with
the key material deliberately obscured so that it cannot be used for
validation. Any DS records for .net domains that have been submitted
by registrars will be published in the deliberately unvalidatable
zone.

December 9, 2010: The .net key material will be unobscured and the
.net zone will be usable for DNSSEC validation. DS records for .net
will appear in the root zone shortly thereafter.

The .com DNSSEC deployment will occur in the first quarter of 2011 and
will consist of the following major milestones:

February, 2011: The .com registry system will be upgraded to allow
ICANN-accredited registrars to submit DS records for domains under
.com. These DS records will not be published in the .com zone until
the .com zone is actually signed.

March, 2011: A deliberately unvalidatable .com zone will be published.
Any DS records for .com that have been submitted by registrars will be
published in the deliberately unvalidatable zone.

March, 2011: The .com key material will be unobscured and the .com
zone will be usable for DNSSEC validation. DS records for .com will
appear in the root zone shortly thereafter.