Launch FAQ

This material is archived for historical purposes only. It should not be relied upon to provide accurate current information.

Deliberately Unvalidatable Root Zone (DURZ)

Where can I get a copy of the signed root?

The signed root is available via AXFR from any of the following nameservers:


Will the domain zone be signed as well?

The current position is that will not be signed initially, as its signatures are not needed to validate the signed root.

Trusted Community Representatives (TCR)

Will ICANN pay for travel?

No, ICANN will presently not pay for expenses related to a TCR role.

What part of the TCR Statement of Interest will be published?

A list of names and country of citizenship of the TCR candidates will be published, but any details (e.g. references) submitted will be kept confidential.

How long is the key ceremony?

The first ceremony – in which the keys are generated – is the most time consuming, and will be performed in two phases (one in each facility), each taking about 6 hours.

Subsequent ceremonies – when the ZSK key signing requests (KSR) are being signed – will be performed at one of the facilities and takes about 4 hours.

How often should a CO expect to travel to a ceremony?

To handle travel problems (e.g., delayed flights), ICANN will call more than 3 Crypto Officers (CO) for each ceremony. That makes 1-2 travels per year for the average crypto officer, as the two (2) sets of Crypto Officers are normally called alternately.

For the first ceremony, all Crypto Officers are required at their assigned facility.

How often should a RKSH expect to travel to a ceremony?

Except for the very first ceremony, in which the Recovery Key Share Holders (RKSH) are needed for both phases (and thus has to travel between the east and west coast facilities), the RKSH are not expected to travel to a ceremony except in case of a key management emergency.

Can a RKSH pass international borders with its RKSH smart card?

As the contents of the card does not contain a complete cryptographic key, only a small fragment of one, we do not expect any general import/export restrictions on the smart card.

It is safe to pass the smart card through airport x-ray and security screening, just like it is safe to pass your EMV credit card or the like.

Where should the RKSH keep its smart card?

A safe deposit box (or equivalent) at the recover key share holder’s local bank is a good choice. The smart card should be protected from theft and physical damage (e.g., fire, flooding).

What type of inventory of are the RKSH expected to performed?

The KSK operator DNSSEC Practice Statement (DPS) states that an inventory of Recovery Key Shares should be performed annually. This will typically be performed by having each RKSH submit a picture of its key share together with an ICANN-supplied secret phrase.

What happens if a RKSH loses its key share?

If more than one key share is lost, ICANN will start to plan to re-split the recovery key and recommission the share holders.