This website contains announcements, releases and other pertinent information about the deployment of DNSSEC for the root zone.

DNSSEC for the root zone is a joint effort between ICANN and VeriSign, with support from the U.S. Department of Commerce.

Final deployment was completed on schedule – the root is now signed

The Root Trust Anchor can be found at the IANA DNSSEC website.

High Level Timeline

  • December 1, 2009: Root zone signed for internal use by VeriSign and ICANN.  ICANN and VeriSign exercise interaction protocols for signing the ZSK with the KSK.
  • January, 2010: The first root server begins serving the signed root in the form of the DURZ (deliberately unvalidatable root zone). The DURZ contains unusable keys in place of the root KSK and ZSK to prevent these keys being used for validation.
  • Early May, 2010: All root servers are now serving the DURZ.  The effects of the larger responses from the signed root, if any, would now be encountered.
  • May and June, 2010: The deployment results are studied and a final decision to deploy DNSSEC in the root zone is made.
  • June 16, 2010: ICANN holds first KSK ceremony event in Culpeper, VA, USA
  • July 12, 2010: ICANN holds second KSK ceremony event in El Segundo, CA, USA
  • July 15, 2010: ICANN publishes the root zone trust anchor and root operators begin to serve the signed root zone with actual keys – The signed root zone is available.