DNSSEC Project Archive
These are archived documents from specific community projects relating to the development and evolution of DNSSEC in the Root Zone. These documents should not be relied upon for up-to-date information on operations and are provided for historical purposes only.
Initial Design and Launch (2008-2010)
The DNS root zone began being signed in July 2010, following an extended process of consultation and design work. These documents are the historical archive of working documents from this process. These were originally published in a dedicated microsite at root-dnssec.org.
Documentation
- Project Status Updates
- Project FAQ
- TCR Selection
- Testing and Implementation Requirements
for the Initial Deployment of DNSSEC in the Authoritative Root Zone (2009-10-29)
This requirements document was drafted jointly by the National Telecommunications and Information Administration and the National Institute of Standards and Technology. The purpose is to provide baseline architecture, security, and basic functionality requirements for the implementation and operation of DNSSEC at the root zone. NTIA and NIST have consulted with members of the Internet technical community as well as with its root zone management partners – ICANN and VeriSign. To the extent possible, input resulting from these consultations is reflected in the requirements. - DNSSEC Root Zone
High Level Technical Architecture
This document describes the proposed architecture for DNSSEC deployment at the root of the DNS resulting from ongoing discussions between VeriSign and ICANN based on requirements set forth by the U.S. Department of Commerce (DoC). It is only meant to be a high-level description of the design. Details are to be contained in accompanying documentation. - DNSSEC Practice Statement for the Root Zone KSK
operator and the DNSSEC Practice Statement for the Root
Zone ZSK operator
This DPS documents are the DNSSEC Policy and Practice Statements for the Root Zone KSK and ZSK operator and states the practices and provisions that are employed providing Root Zone Signing and Zone distribution services that include, but are not limited to, issuing, managing, changing and distributing DNS keys in accordance with the specific requirements of the U.S. Department of Commerce, National Telecommunication and Information Administration. - Trust Anchor Publication for the
Root Zone
ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors for the root zone of the Domain Name System. This document outlines the strategy by which those trust anchors are published, and specifies initial mechanisms to be implemented in conjunction with the initial signing of the root zone. - DNSSEC Deployment for the Root
Zone
This document describes a plan for a controlled deployment of DNSSEC in the root zone of the DNS. - Root Zone DNSSEC KSK Ceremonies
Guide
This draft document specifies key ceremonies to be executed by the Root Zone Key Signing Key Operator in the deployment of DNSSEC. - Trusted Community Representatives –
Proposed Approach to Root Key Management
This draft document describes a proposed approach to root key management by inviting recognized members of the DNS technical community to be part of the key generation, key backup and key signing process for the root. - Resolver Testing with a
DURZ
This document describes the results of testing popular DNS resolvers with a Deliberately-Unvalidatable Root Zone (DURZ) - Guide to placing TLD trust anchors in the
root zone
As with other changes to the root zone today, the ICANN Root Zone Management team will be responsible for receiving and processing requests to add and remove DS records to the root zone for top-level domain operators. This document outlines in more detail how that will be conducted, including a proposed revision to the TLD change template for acceptance of DS records. - DNSSEC Key Management Implementation for
the Root Zone
This document describes key management implementation for the KSK and ZSK operator in the deployment of DNSSEC in the root zone of the DNS. - DNSSEC Test Plan for the Root
Zone
This document describes the test plan for the deployment of DNSSEC in the root zone of the DNS.
Presentations
- APNIC and APOPS — 24-27 August 2010
- AusNOG — 16-17 September 2010
- IETF 78 — Project Update
- LACNIC XIII — Project Overview
- NANOG 49 — Project Update
- ICANN 38 — DNSSEC Session
- RIPE 60 — Project Update; Trusted Community Representatives
- MENOG 6 — Project Overview
- IETF 77 — IEPG Presentation; Questions and Answers
- NANOG 48 — Project Overview; DURZ Data Analysis
- NZNOG 2010 — Project Overview; DURZ on L-root
- IETF 76 — IEPG Presentation; Questions and Answers
- Internetdagarna 2009 — Project Overview; Deployment Status
- ICANN 36 — Project Overview
- NANOG 47 — Project Overview; Deployment Status
- RIPE 59 — Project Overview; Deployment Status
First KSK Rollover Project (2015-2018)
Commencing in 2015, a community design team was formed to develop recommendations on how to perform the first "KSK rollover", replacing the Root Zone Key Signing Key as required by our DNSSEC Practice Statement. These recommendations were operationalized, and the first KSK rollover resulted in the generation of a new KSK in October 2016, and replacing the KSK in the root zone in October 2018.
- Root KSK Rollover Project Page — Find detailed information on the planning and implementation of this project.
- Root KSK Rollover Plan (Design Team Recommendations, 2016-03-07)