DNSSEC Project Archive

These are archived documents from specific community projects relating to the development and evolution of DNSSEC in the Root Zone. These documents should not be relied upon for up-to-date information on operations and are provided for historical purposes only.

Initial Design and Launch (2008-2010)

The DNS root zone began being signed in July 2010, following an extended process of consultation and design work. These documents are the historical archive of working documents from this process. These were originally published in a dedicated microsite at root-dnssec.org.


  • Project Status Updates
  • Project FAQ
  • TCR Selection
  • Testing and Implementation Requirements for the Initial Deployment of DNSSEC in the Authoritative Root Zone (2009-10-29)
    This requirements document was drafted jointly by the National Telecommunications and Information Administration and the National Institute of Standards and Technology. The purpose is to provide baseline architecture, security, and basic functionality requirements for the implementation and operation of DNSSEC at the root zone. NTIA and NIST have consulted with members of the Internet technical community as well as with its root zone management partners – ICANN and VeriSign. To the extent possible, input resulting from these consultations is reflected in the requirements.
  • DNSSEC Root Zone High Level Technical Architecture
    This document describes the proposed architecture for DNSSEC deployment at the root of the DNS resulting from ongoing discussions between VeriSign and ICANN based on requirements set forth by the U.S. Department of Commerce (DoC). It is only meant to be a high-level description of the design. Details are to be contained in accompanying documentation.
  • DNSSEC Practice Statement for the Root Zone KSK operator and the DNSSEC Practice Statement for the Root Zone ZSK operator
    This DPS documents are the DNSSEC Policy and Practice Statements for the Root Zone KSK and ZSK operator and states the practices and provisions that are employed providing Root Zone Signing and Zone distribution services that include, but are not limited to, issuing, managing, changing and distributing DNS keys in accordance with the specific requirements of the U.S. Department of Commerce, National Telecommunication and Information Administration.
  • Trust Anchor Publication for the Root Zone
    ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors for the root zone of the Domain Name System. This document outlines the strategy by which those trust anchors are published, and specifies initial mechanisms to be implemented in conjunction with the initial signing of the root zone.
  • DNSSEC Deployment for the Root Zone
    This document describes a plan for a controlled deployment of DNSSEC in the root zone of the DNS.
  • Root Zone DNSSEC KSK Ceremonies Guide
    This draft document specifies key ceremonies to be executed by the Root Zone Key Signing Key Operator in the deployment of DNSSEC.
  • Trusted Community Representatives – Proposed Approach to Root Key Management
    This draft document describes a proposed approach to root key management by inviting recognized members of the DNS technical community to be part of the key generation, key backup and key signing process for the root.
  • Resolver Testing with a DURZ
    This document describes the results of testing popular DNS resolvers with a Deliberately-Unvalidatable Root Zone (DURZ)
  • Guide to placing TLD trust anchors in the root zone
    As with other changes to the root zone today, the ICANN Root Zone Management team will be responsible for receiving and processing requests to add and remove DS records to the root zone for top-level domain operators. This document outlines in more detail how that will be conducted, including a proposed revision to the TLD change template for acceptance of DS records.
  • DNSSEC Key Management Implementation for the Root Zone
    This document describes key management implementation for the KSK and ZSK operator in the deployment of DNSSEC in the root zone of the DNS.
  • DNSSEC Test Plan for the Root Zone
    This document describes the test plan for the deployment of DNSSEC in the root zone of the DNS.


First KSK Rollover Project (2015-2018)

Commencing in 2015, a community design team was formed to develop recommendations on how to perform the first "KSK rollover", replacing the Root Zone Key Signing Key as required by our DNSSEC Practice Statement. These recommendations were operationalized, and the first KSK rollover resulted in the generation of a new KSK in October 2016, and replacing the KSK in the root zone in October 2018.