This requirements document was drafted jointly by the National Telecommunications and Information Administration and the National Institute of Standards and Technology. The purpose is to provide baseline architecture, security, and basic functionality requirements for the implementation and operation of DNSSEC at the root zone. NTIA and NIST have consulted with members of the Internet technical community as well as with its root zone management partners – ICANN and VeriSign. To the extent possible, input resulting from these consultations is reflected in the requirements.

High Level Architecture

This document describes the proposed architecture for DNSSEC deployment at the root of the DNS resulting from ongoing discussions between VeriSign and ICANN based on requirements set forth by the U.S. Department of Commerce (DoC). It is only meant to be a high-level description of the design. Details are to be contained in accompanying documentation.

Policy and Practice Statements

This DPS documents are the DNSSEC Policy and Practice Statements for the Root Zone KSK and ZSK operator and states the practices and provisions that are employed providing Root Zone Signing and Zone distribution services that include, but are not limited to, issuing, managing, changing and distributing DNS keys in accordance with the specific requirements of the U.S. Department of Commerce, National Telecommunication and Information Administration.

Trust Anchor Publication for the Root Zone

ICANN, as IANA Functions Operator, is responsible for the publication of trust anchors for the root zone of the Domain Name System.

This document outlines the strategy by which those trust anchors are published, and specifies initial mechanisms to be implemented in conjunction with the initial signing of the root zone.

DNSSEC Deployment for the Root Zone

This document describes a plan for a controlled deployment of DNSSEC in the root zone of the DNS.

Root Zone DNSSEC KSK Ceremonies Guide

This draft document specifies key ceremonies to be executed by the Root Zone Key Signing Key Operator in the deployment of DNSSEC.

TCR – Proposed Approach to Root Key Management

This draft document describes a proposed approach to root key management by inviting recognized members of the DNS technical community to be part of the key generation, key backup and key signing process for the root.

Resolver Testing with a DURZ

This document describes the results of testing popular DNS resolvers with a Deliberately-Unvalidatable Root Zone (DURZ).

DS Record Handling for the Root Zone

As with other changes to the root zone today, the ICANN Root Zone Management team will be responsible for receiving and processing requests to add and remove DS records to the root zone for top-level domain operators. This document outlines in more detail how that will be conducted, including a proposed revision to the TLD change template for acceptance of DS records.

DNSSEC Key Management Implementation for the Root Zone

This document describes key management implementation for the KSK and   ZSK operator in the deployment of DNSSEC in the root zone of the DNS.

DNSSEC Test Plan for the Root Zone

This document describes the test plan for the deployment of DNSSEC in the root zone of the DNS.