Skip to main content

ICANN to Work with United States Government and VeriSign on Interim Solution to Core Internet Security Issue | Immediate security concerns addressed by DNSSEC

Washington, D.C.—June 3, 2009—ICANN will work with the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA), the National Institute of Standards and Technology (NIST) and VeriSign on the goal of an operationally Signed Root Zone as soon as feasible in 2009.

In a letter agreeing to participate, ICANN recognizes the urgency surrounding the issue of electronically signing the Internet’s "root zone" but stresses the need for this process to be interim.

" We’ve been working towards a signed root for more than three years. In fact, ICANN has operated a root zone signing test bed for more than two years. So ICANN is aware of the urgency around signing the root to enhance stability and security" Paul Twomey, President and CEO of ICANN said.

"ICANN has agreed to work with VeriSign and the Department of Commerce to first test, and then have production deployment of DNS Security Extensions (DNSSEC) as soon as feasible without prejudice to any proposals that may be made for long term signing processes" said Twomey.

"There will of course need to be consultations with the Internet technical community as the testing and implementation plans are developed" he added.

The NTIA asked for input from the Internet community in October 2008 on the issue of securing the top level of the domain name system (DNS) from vulnerabilities that threaten the accuracy and integrity of the DNS data. Vulnerabilities in the existing DNS have become easier to exploit to the extent that malicious parties may be able to distribute false DNS information, and to re-direct Internet users.

Details of the process are still being worked on but discussions between the Department of Commerce and VeriSign and ICANN have identified that VeriSign will manage and have operational responsibility for the Zone Signing Key in the interim arrangement, and that ICANN will manage the Key Signing Key process. ICANN will work closely with VeriSign regarding the operational and cryptographic issues involved.

"This is very important for the global community of Internet users. We will work closely with all participants on this crucial security initiative." Twomey said.

For more information on DNSSEC deployment, please visit:

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."