Cloudflare

Amsterdam Netherlands jabley@cloudflare.com

Kirei AB

jakob@kirei.se

Independent

guillaumebailey@outlook.com

ICANN

paul.hoffman@icann.org

OPS dnsop The root zone of the global Domain Name System (DNS) is cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA uses to distribute the DNSSEC trust anchors. This document obsoletes RFC 7958.

Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
  • .  Definitions
• .  IANA DNSSEC Root Zone Trust Anchor Format and Semantics
  • .  XML Syntax
  • .  XML Semantics
  • .  XML Example
• .  Root Zone Trust Anchor Retrieval
  • .  Retrieving Trust Anchors with HTTPS and HTTP
  • .  Accepting DNSSEC Trust Anchors
  • .  Changes in the Trust Model for Distribution
• .  Security Considerations
  • .  Security Considerations for Relying Parties
    • .  validUntil
    • .  Comparison of Digest and publickeyinfo
    • .  Different Outputs from Processing the Trust Anchor File
• .  IANA Considerations
• .  References
  • .  Normative References
  • .  Informative References
• .  Changes from RFC 7958
• .  Historical Note
• Acknowledgements
• Authors' Addresses

Introduction The global Domain Name System (DNS) is described in and . DNS Security Extensions (DNSSEC) are described in . In the DNSSEC protocol, Resource Record Sets (RRsets) are signed cryptographically. This means that a response to a query contains signatures that allow the integrity and authenticity of the RRset to be verified. DNSSEC signatures are validated by following a chain of signatures to a "trust anchor". The reason for trusting a trust anchor is outside the DNSSEC protocol, but having one or more trust anchors is required for the DNSSEC protocol to work. The publication of trust anchors for the root zone of the DNS is an IANA function performed by ICANN, through its affiliate Public Technical Identifiers (PTI). A detailed description of corresponding key management practices can be found in . This document describes the formats and distribution methods of DNSSEC trust anchors that are used by IANA for the root zone of the DNS. Other organizations might have different formats and mechanisms for distributing DNSSEC trust anchors for the root zone; however, most operators and software vendors have chosen to rely on the IANA trust anchors. The formats and distribution methods described in this document are a complement to, not a substitute for, the automated DNSSEC trust anchor update protocol described in . That protocol allows for secure in-band succession of trust anchors when trust has already been established. This document describes one way to establish an initial trust anchor that can be used by the mechanism defined in . This document obsoletes .

Definitions The term "trust anchor" is used in many different contexts in the security community. Many of the common definitions conflict because they are specific to a specific system, such as just for DNSSEC or just for S/MIME messages. In cryptographic systems with hierarchical structure, a trust anchor is an authoritative entity for which trust is assumed and not derived. The format of the entity differs in different systems, but all common uses of the term "trust anchor" share the basic idea that the decision to trust this entity is made outside of the system that relies on it. The root zone trust anchor formats published by IANA are defined in . defines a trust anchor as a "configured DNSKEY RR or DS RR hash of a DNSKEY RR". Note that the formats defined here do not match the definition of "trust anchor" from ; however, a system that wants to convert the trusted material from IANA into a Delegation Signer (DS) RR can do so. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

IANA DNSSEC Root Zone Trust Anchor Format and Semantics IANA publishes trust anchors for the root zone as an XML document that contains the hashes of the DNSKEY records and optionally the keys from the DNSKEY records. This format and the associated semantics are described in the rest of this section. Note that the XML document can have XML comments. For example, IANA might use these comments to add pointers to important information on the IANA website. XML comments are only used as human-readable commentary, not extensions to the grammar. The XML document contains a set of hashes for the DNSKEY records that can be used to validate the root zone. The hashes are consistent with the defined presentation format of a DS resource. The XML document can also contain the keys and flags from the DNSKEY records. The keys and flags are consistent with the defined presentation format of a DNSKEY resource. Note that the hashes are mandatory in the syntax, but the keys are optional.

XML Syntax Below is the RELAX NG Compact Schema for the documents used to publish trust anchors: datatypes xsd = "http://www.w3.org/2001/XMLSchema-datatypes" start = element TrustAnchor { attribute id { xsd:string }, attribute source { xsd:string }, element Zone { xsd:string }, keydigest+ } keydigest = element KeyDigest { attribute id { xsd:string }, attribute validFrom { xsd:dateTime }, attribute validUntil { xsd:dateTime }?, element KeyTag { xsd:nonNegativeInteger { maxInclusive = "65535" } }, element Algorithm { xsd:nonNegativeInteger { maxInclusive = "255" } }, element DigestType { xsd:nonNegativeInteger { maxInclusive = "255" } }, element Digest { xsd:hexBinary }, publickeyinfo? } publickeyinfo = element PublicKey { xsd:base64Binary }, element Flags { xsd:nonNegativeInteger { maxInclusive = "65535" } }

XML Semantics The TrustAnchor element is the container for all of the trust anchors in the file. The id attribute in the TrustAnchor element is an opaque string that identifies the set of trust anchors. Its value has no particular semantics. Note that the id attribute in the TrustAnchor element is different than the id attribute in the KeyDigest element described below. The source attribute in the TrustAnchor element gives information about where to obtain the TrustAnchor container. It is likely to be a URL and is advisory only. The Zone element in the TrustAnchor element states to which DNS zone this container applies. The Zone element is in presentation format as specified in , including the trailing dot. The root zone is indicated by a single period (.) character without any quotation marks. The TrustAnchor element contains one or more KeyDigest elements. Each KeyDigest element represents the digest of a past, current, or potential future DNSKEY record of the zone defined in the Zone element. The values for the elements in the KeyDigest element are defined in . The IANA registries for DNSSEC-related values are described in . The id attribute in the KeyDigest element is an opaque string that identifies the hash. Note that the id attribute in the KeyDigest element is different than the id attribute in the TrustAnchor element described above. The validFrom and validUntil attributes in the KeyDigest element specify the range of times that the KeyDigest element can be used as a trust anchor. The KeyTag element in the KeyDigest element contains the key tag for the DNSKEY record represented in this KeyDigest. The Algorithm element in the KeyDigest element contains the DNSSEC signing algorithm identifier for the DNSKEY record represented in this KeyDigest. The DigestType element in the KeyDigest element contains the DNSSEC digest algorithm identifier for the DNSKEY record represented in this KeyDigest. The Digest element in the KeyDigest element contains the hexadecimal representation of the hash for the DNSKEY record represented in this KeyDigest. The publickeyinfo named pattern in the KeyDigest element contains two mandatory elements: the base64 representation of the public key for the DNSKEY record represented in this KeyDigest and the flags of the DNSKEY record represented in this KeyDigest. The publickeyinfo named pattern is optional and is new in this specification. It can be useful when IANA has a trust anchor that has not yet been published in the DNS root and for calculating a comparison to the Digest element.

XML Example The following is an example of what the trust anchor file might look like. The full public key is only given for a trust anchor that does not have a validFrom time in the past. <?xml version="1.0" encoding="UTF-8"?> <TrustAnchor id="E9724F53-1851-4F86-85E5-F1392102940B" source="http://data.iana.org/root-anchors/root-anchors.xml"> <Zone>.</Zone> <KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00"> <!-- This key is no longer valid, since validUntil is in the past --> <KeyTag>19036</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> <Digest> 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 </Digest> </KeyDigest> <KeyDigest id="Klajeyz" validFrom="2017-02-02T00:00:00+00:00"> <KeyTag>20326</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> <Digest> E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D </Digest> <PublicKey> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4Rg WOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQ uCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj /EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Ap xz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXG Xws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= </PublicKey> <Flags>257</Flags> </KeyDigest> <!-- The following is called "KSK-2024" as a shorthand name --> <KeyDigest id="Kmyv6jo" validFrom="2024-07-18T00:00:00+00:00"> <KeyTag>38696</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> <Digest> 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 </Digest> </KeyDigest> </TrustAnchor> The DS RRset derived from this example is: . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D . IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 Note that this DS record set only has two records. A potential third record, one that includes the key tag 19036, is already invalid based on the validUntil attribute's value and is thus not part of the trust anchor set. The DNSKEY RRset derived from this example is: . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= Note that this DNSKEY record set only has one record. A potential second record, one based on the key tag 19036, is already invalid based on the validUntil attribute's value and is thus not part of the trust anchor set. Another potential second record, one based on the key tag 38696, does not contain the optional publickeyinfo named pattern; therefore, the DNSKEY record for it cannot be calculated.

Root Zone Trust Anchor Retrieval

Retrieving Trust Anchors with HTTPS and HTTP Trust anchors are available for retrieval using HTTPS and HTTP. In this section, all URLs are given using the "https:" scheme. If HTTPS cannot be used, replace the "https:" scheme with "http:". The URL for retrieving the set of hashes in the XML document described in is .

Accepting DNSSEC Trust Anchors A validator operator can choose whether or not to accept the trust anchors described in this document using whatever policy they want. In order to help validator operators verify the content and origin of trust anchors they receive, IANA uses digital signatures that chain to an ICANN-controlled Certificate Authority (CA) over the trust anchor data. It is important to note that the ICANN CA is not a DNSSEC trust anchor. Instead, it is an optional mechanism for verifying the content and origin of the XML and certificate trust anchors. The content and origin of the XML document can be verified using a digital signature on the file. IANA provides a detached Cryptographic Message Syntax (CMS) signature that chains to the ICANN CA with the XML document. This can be useful for validator operators who have received a copy of the ICANN CA's public key in a trusted out-of-band fashion. The URL for a detached CMS signature for the XML document is . Another method IANA uses to help validator operators verify the content and origin of trust anchors they receive is to use the Transport Layer Security (TLS) protocol for distributing the trust anchors. Currently, the CA used for "data.iana.org" is well known, that is, one that is a WebTrust-accredited CA. If a system retrieving the trust anchors trusts the CA that IANA uses for the "data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in order to have assurance of data origin.

Changes in the Trust Model for Distribution IANA used to distribute trust anchors as a self-signed Pretty Good Privacy (PGP) message and as a self-issued certificate signing request; this was described in . This document removes those methods because they rely on a trust model that mixes out-of-band trust of authentication keys with out-of-band trust of the DNSSEC root keys. Note, however, that cryptographic assurance for the contents of the trust anchor now comes from the Web PKI or the ICANN CA as described in . This cryptographic assurance is bolstered by informal comparisons made by users of the trust anchors, such as software vendors comparing the trust anchor files they are using.

Security Considerations This document describes how DNSSEC trust anchors for the root zone of the DNS are published. Many DNSSEC clients will only configure IANA-issued trust anchors for the DNS root to perform validation. As a consequence, reliable publication of trust anchors is important. This document aims to specify carefully the means by which such trust anchors are published, with the goal of making it easier for those trust anchors to be integrated into user environments. Some of the methods described (such as accessing over the Web with or without verifying the signature on the file) have different security properties; users of the trust anchor file need to consider these when choosing whether to load the set of trust anchors.

Security Considerations for Relying Parties The body of this document does not specify any particular behavior for relying parties. Specifically, it does not say how a relying party should treat the trust anchor file as a whole. However, some of the contents of the trust anchor file require particular attention for relying parties.

validUntil Note that the validUntil attribute of the KeyDigest element is optional. If the relying party is using a trust anchor that has a KeyDigest element that does not have a validUntil attribute, it can change to a trust anchor with a KeyDigest element that does have a validUntil attribute, as long as that trust anchor's validUntil attribute is in the future and the KeyTag, Algorithm, DigestType, and Digest elements of the KeyDigest are the same as those in the previous trust anchor. Relying parties SHOULD NOT use a KeyDigest outside of the time range given in the validFrom and validUntil attributes.

Comparison of Digest and publickeyinfo A KeyDigest element can contain both a Digest and a publickeyinfo named pattern. If the Digest element would not be a proper DS record for a DNSKEY record represented by the publickeyinfo named pattern, relying parties MUST NOT use that KeyDigest as a trust anchor. A relying party that wants to make such a comparison needs to marshal the elements of the DNSKEY record that became the DS record using the algorithm specified in . Relying parties need to implement trust anchor matching carefully. A single trust anchor represented by a KeyDigest element can potentially change its Digest and KeyTag values between two versions of the trust anchor file, for example, when the key is revoked or the flag value changes for some other reason. Relying parties that fail to take this property into account are at risk of using an incorrect set of trust anchors.

Different Outputs from Processing the Trust Anchor File Relying parties that require the optional publickeyinfo named pattern to create trust anchors will store fewer trust anchors than those that only require a Digest element. Thus, two systems processing the same trust anchor file can end up with a different set of trust anchors.

IANA Considerations Each time IANA produces a new trust anchor, it MUST publish that trust anchor using the format described in this document. IANA MAY delay the publication of a new trust anchor for operational reasons, such as having a newly created key in multiple facilities. When a trust anchor that was previously published is no longer suitable for use, IANA MUST update the trust anchor file accordingly by setting a validUntil date for that trust anchor. The validUntil attribute that is added MAY be a date in the past or in the future, depending on IANA's operational choices. More information about IANA's policies and procedures for how the cryptographic keys for the DNS root zone are managed (also known as "DNSSEC Practice Statements" or "DPSs") can be found at . defined id-mod-dns-resource-record, value 70, which was added to the "SMI Security for PKIX Module Identifier" registry. This document does not use that identifier.

References Normative References This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK] This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] This document describes a means for automated, authenticated, and authorized updating of DNSSEC "trust anchors". The method provides protection against N-1 key compromises of N keys in the trust point key set. Based on the trust established by the presence of a current anchor, other anchors may be added at the same place in the hierarchy, and, ultimately, supplant the existing anchor(s). This mechanism will require changes to resolver management behavior (but not resolver resolution behavior), and the addition of a single flag bit to the DNSKEY record. [STANDARDS-TRACK] This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] The root zone of the Domain Name System (DNS) has been cryptographically signed using DNS Security Extensions (DNSSEC). In order to obtain secure answers from the root zone of the DNS using DNSSEC, a client must configure a suitable trust anchor. This document describes the format and publication mechanisms IANA has used to distribute the DNSSEC trust anchors. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document changes the review requirements needed to get DNSSEC algorithms and resource records added to IANA registries. It updates RFC 6014 to include hash algorithms for Delegation Signer (DS) records and NextSECure version 3 (NSEC3) parameters (for Hashed Authenticated Denial of Existence). It also updates RFCs 5155 and 6014, which have requirements for DNSSEC algorithms, and updates RFC 8624 to clarify the implementation recommendation related to the algorithms described in RFCs that are not on the standards track. The rationale for these changes is to bring the requirements for DS records and hash algorithms used in NSEC3 in line with the requirements for all other DNSSEC algorithms. This document describes the DNS Security Extensions (commonly called "DNSSEC") that are specified in RFCs 4033, 4034, and 4035, as well as a handful of others. One purpose is to introduce all of the RFCs in one place so that the reader can understand the many aspects of DNSSEC. This document does not update any of those RFCs. A second purpose is to state that using DNSSEC for origin authentication of DNS data is the best current practice. A third purpose is to provide a single reference for other documents that want to refer to DNSSEC. Informative References Root Zone KSK Operator Policy Management Authority OASIS Committee Specification

Changes from RFC 7958 This document includes the following changes:

• Made a significant technical change per Erratum ID 5932. This change is in the seventh paragraph of .
• Added the optional publickeyinfo named pattern with two mandatory elements, PublicKey and Flags.
• Removed the certificates and certificate signing mechanisms.
• Removed the detached OpenPGP signature mechanism.
• Updated the reference to the DNSSEC Practice Statement .
• Stated explicitly that the XML documents might have XML comments in them.
• Clarified the use of the detached CMS signature.
• Updated the section to indicate requirements on IANA.
• Simplified the description of using the validFrom and validUntil attributes.
• Added new security considerations.
• Made some editorial changes.

Historical Note The first Key Signing Key (KSK) for use in the root zone of the DNS was generated at a key ceremony at the ICANN Key Management Facility (KMF) in Culpeper, Virginia, USA on 2010-06-16. This key entered production during a second key ceremony held at an ICANN KMF in El Segundo, California, USA on 2010-07-12. The resulting trust anchor was first published on 2010-07-15. The second KSK for use in the root zone of the DNS was generated at key ceremony #27 at the ICANN KMF in Culpeper, Virginia, USA on 2016-10-27. This key entered production during key ceremony #28 held at the ICANN KMF in El Segundo, California, USA on 2017-02-02. The resulting trust anchor was first published on 2018-11-11. More information about the key ceremonies, including full records of previous ceremonies and plans for future ceremonies, can be found at .

Acknowledgements Many pioneers paved the way for the deployment of DNSSEC in the root zone of the DNS, and the authors hereby acknowledge their substantial collective contribution. RFC 7958 incorporated suggestions made by and , whose contributions are appreciated.

Authors' Addresses Cloudflare

Amsterdam Netherlands jabley@cloudflare.com

Kirei AB

jakob@kirei.se

Independent

guillaumebailey@outlook.com

ICANN

paul.hoffman@icann.org