Deploy360 Domain Name System Security Extensions (DNSSEC)

Two Years Ago This Week, The Root Zone of DNS Was Signed With DNSSEC

Via a tweet from the ICANN DNS Ops team this morning, we were reminded that it was two years ago this week when the root zone of DNS was signed with DNSSEC and we could start validating the global “chain of trust” from the very beginning of the DNS tree.

As noted on, the timeline for the final signing of the root occurred over a one-month period:

  • June 16, 2010 – First key signing ceremony at the ICANN data center in Culpeper, Virginia.
  • July 12, 2010 – Second key signing ceremony at the ICANN data center in El Segundo, California.
  • July 15, 2010 – The signed root zone was publicly available.

Once the signed root zone was published on July 15, 2010, it made possible all the DNSSEC validation and usage that we are able to do today using the full global chain of trust.

For those interested in what was happening behind the scenes and the intense amount of security put in place around the key ceremonies, the annotated scripts for Ceremony 1 (June 16) and Ceremony 2 (July 12) make for an interesting view into the process.  The “script exceptions” at the end of each document, in particular, show the human side of the process and that even with the best of preparations sometimes things go wrong.  All in all a rather complete and interesting process.

Congratulations to all involved in the key signing two years ago! (Many of whose names appear regularly in our DNSSEC resources or DNSSEC-related blog posts.)