Skip to Content


Availability of Testing and Evaluation Report and Intent To Proceed With the Final Stages of Domain Name System Security Extensions Implementation in the Authoritative Root Zone

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document including its time on Public Inspection. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


National Telecommunications and Information Administration, Department of Commerce.




The Department of Commerce's National Telecommunications and Information Administration (NTIA) announces the availability of the Domain Name System Security Extensions (DNSSEC) testing and evaluation report and NTIA's intent to proceed with the final stages of DNSSEC deployment in the authoritative root zone. As part of this notice, NTIA is providing a public review and comment period on the testing and evaluation report and the commencement of the final stage of the DNSSEC deployment before taking any action.


Comments must be submitted by June 21, 2010.


Written comments may be submitted by mail to Fiona Alexander, Associate Administrator, Office of International Affairs, National Telecommunications and Information Administration, US Department of Commerce, 1401 Constitution Avenue, NW., Room 4701, Washington, DC 20230. Written comments may also be sent by facsimile to (202) 482-1865 or electronically via electronic mail to Comments will be posted on NTIA's Web site at​DNS/​DNSSEC.html.

Start Further Info


For further information about this notice, please contact Ashley Heineman at (202) 482-0298 or

End Further Info End Preamble Start Supplemental Information


The Domain Name and Addressing System (DNS) is a distributed hierarchical system that converts domain names (e.g., into the numerical Internet Protocol (IP) addresses (e.g., The accuracy, integrity, and availability of the information supplied by the DNS is essential to the operation of any system or service that uses the Internet.

However, the DNS was not originally designed with strong security mechanisms, and technological advances have made it easier to successfully exploit vulnerabilities. Such exploits include distributing false DNS information and improperly re-directing Internet users to bogus Web sites.

To mitigate these vulnerabilities, the Internet Engineering Task Force (IETF),[1] using the same open standards process used to develop the core DNS protocols, developed a set of protocol security extensions known as DNSSEC. DNSSEC was designed to support authentication of the source and integrity of information stored in the DNS using public key cryptography and a hierarchy of digital signatures.

On October 9, 2008, NTIA issued a Notice of Inquiry (NOI) seeking input from the community regarding DNSSEC implementation at the Root Zone.[2] NTIA received many comments in response to the NOI. The comments NTIA received from the Internet community indicated that DNSSEC should be implemented at the Root Zone level as soon as practically possible in a manner that maintains the security and stability of the DNS. Thus, NTIA, in conjunction with the National Institute for Standards and Technology (NIST), announced in June 2009 that it would work with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign to deploy DNSSEC at the authoritative root zone of the Internet.[3] Subsequently, these parties initiated work on DNSSEC deployment including the development of detailed documentation and consultation with experts within the Internet technical community.[4]

Prior to NTIA providing authorization to proceed with the final stages of deployment, ICANN and VeriSign agreed to document and evaluate all DNSSEC testing and implementation efforts taken at the authoritative root zone and submit a final report to NTIA for its review and approval.[5]

On May 31, 2010, ICANN and VeriSign submitted their testing and evaluation report.[6] With the submission of the testing and evaluation report, ICANN and VeriSign also formally requested NTIA authorization to proceed with the final stages of DNSSEC deployment at the authoritative root zone. NTIA and NIST have reviewed the testing and evaluation report and conclude that DNSSEC is ready for the final stages of deployment at the authoritative root zone. NTIA hereby announces its intent to authorize the final stages of deployment, which include the publication of the root DNSSEC trust anchor [7] and the distribution of a DNSSEC validatable root zone with an anticipated completion date of July 15, 2010.

Review and Comment Period:

Before NTIA takes any action to authorize the final stage of DNSSEC deployment at the authoritative root zone, NTIA seeks public comment on the intended action. NTIA welcomes comments from the public relevant to the DNSSEC testing and evaluation report and/or NTIA's notice of intent to proceed with the final stages of DNSSEC deployment at the authoritative root zone. Comments must be submitted by June 21, 2010.

Start Signature

Dated: June 3, 2010.

Lawrence E. Strickling,

Assistant Secretary for Communications and Information.

End Signature End Supplemental Information


1.  The IETF is a large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. For more information see

Back to Citation

2.  Enhancing the Security and Stability of the Internet's Domain Name and Addressing System, 73 FR 59,608 (Oct. 9, 2008), available at​frnotices/​2008/​FR_​DNSSEC_​081009.pdf. The Root Zone is the top-level DNS zone in a Domain Name System (DNS) hierarchy.

Back to Citation

4.  This documentation is available at​documentation.

Back to Citation

5.  VeriSign's and ICANN's roles with regards to root zone management are pursuant to the Cooperative Agreement and IANA Functions Contract respectively.

Back to Citation

7.  In cryptography, a trust anchor is an authoritative entity represented via a public key and associated data. It is used in the context of public key infrastructures, digital certificates and DNSSEC.

Back to Citation

[FR Doc. 2010-13893 Filed 6-8-10; 8:45 am]