VeriSign is in the process of deploying DNSSEC in the .net and .com zones. This message contains operational information related to the .net DNSSEC deployment that might be of interest to the Internet operational community. The .net DNSSEC deployment is underway. On September 25, 2010, the .net registry system was upgraded to allow ICANN-accredited registrars to submit DS records for domains under .net. On October 29, 2010, a deliberately unvalidatable .net zone began to be published. (This zone was a signed version of the .net zone with the key material deliberately obscured so that it could not be used for validation.) VeriSign recently began incrementally "unblinding" the .net zone: one at a time, each authoritative server for .net was changed from serving the unvalidatable .net zone to the signed .net zone with the official keys unobscured. As of approximately 2100 UTC on December 7, all authoritative servers for .net were serving the signed .net zone with the actual, unobscured production keys. The final step in DNSSEC deployment in .net will be publishing its DS record in the root zone, which is currently scheduled for December 9, 2010. If you have any questions or comments, please send email to info@verisign-grs.com or reply to this message.