Trust Anchors and Keys

The Root Key Signing Key acts as the trust anchor for DNSSEC for the Domain Name System. This trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data.

Root Zone Trust Anchor

File Description
root-anchors.xml DNS Root Trust Anchors
(Updated 2017-02-03) Includes KSK-2010 and pre-published KSK-2017.
root-anchors.p7s Signature to verify the DNS Root Trust Anchors file (S/MIME)
icannbundle.pem Additional ICANN certificates for validating S/MIME signature

Note: Publication of a PGP signature for verification of the root anchors file has been discontinued in favour of S/MIME validation.


Attested output of
2010-06-16 KSK generation

Attested output of
2016-10-27 KSK generation