Skip to main content

ICANN's First DNSSEC Key Ceremony for the Root Zone

The global deployment of Domain Name System Security Extensions (DNSSEC) will achieve an important milestone on June 16, 2010 as ICANN hosts the first production DNSSEC key ceremony in a high security data centre in Culpeper, VA, outside of Washington, DC.

Secure data center in Culpeppper, VA - location of first DNSSEC key signing ceremony

Secure data center in Culpeper, VA - location of first DNSSEC key signing ceremony

During the key ceremony the first cryptographic digital key used to secure the Internet root zone will be generated and securely stored.

Each key ceremony consists of a series of detailed procedures designed to allow the private key material for the root zone to be managed in a transparent yet secure manner. The goal is for the whole Internet community to be able to trust that the procedures involved were executed correctly, and that the private key materials are stored securely.

Security of the private key is important because it ensures that any signature made by that key is known to originate from a legitimate key ceremony, and not by an untrusted third party.

Each key ceremony will involve ICANN staff together with 14 volunteers known as Trusted Community Representatives (TCRs). Each TCR is a respected member of the technical Domain Name System (DNS) community in their home country. They are also unaffiliated to ICANN, VeriSign or the US Department of Commerce, and have been assigned a separate key management role within the ceremony. The involvement of these independent participants provides transparency of process -- a successful key ceremony is only possible if the TCRs involved are satisfied that all steps were executed accurately and correctly. The ceremony and its associated systems and processes will also be subject to a SysTrust audit.

The deployment of DNSSEC in the root zone of the DNS provides benefits for those who publish information in the DNS, and for those who retrieve it. Top-Level Domain (TLD) managers and end-users alike will benefit from being able to publish and locate cryptographic key material ("trust anchors") in the root zone. The root zone provides a consistent and convenient entry point to the security of the whole system.

A second key ceremony will take place in a second secure facility in Los Angeles in early July. By having two complete and independent facilities available, ICANN is able to ensure that key ceremonies can continue to occur in the event of an unexpected disaster in one location. Scheduled key ceremonies will take place four times annually, with two occurring in each location. Full deployment of DNSSEC in the root zone, using the key first generated in Culpeper, is scheduled to take place on July 15, 2010. Extensive documentation and related information about the project can be found at

More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."