Trust Anchor - DOTGOV

Welcome to the .gov trust anchor web site.

This web page had previously published the .gov key-signing key (KSK) and recommended configuring the .gov KSK as a trust anchor on recursive name servers. With this configuration, the recursive name server would be able to validate digitally signed DNS information in the .gov domain.

As of 31 January 2011, configuring the .gov KSK as a trust anchor in recursive name servers is no longer required.

Background

The operator of the .gov domain name registry has changed: Verisign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov. As part of the operator transition, the .gov KSK has changed: a KSK roll for the .gov zone occurred on 31 January, 2011.

Any recursive name server with a .gov KSK configured as a trust anchor requires a change to its trust anchor configuration.

The new .gov KSK is not published in an authenticated manner outside DNS (e.g., on an SSL-protected web page such as this one). Rather, the mechanism for trusting the new .gov KSK is via the signed DNS root zone: DS records corresponding to the new .gov KSK are already present in the root zone.

Because the root zone has had DS records corresponding to the current .gov KSK since 27 October 2010, static configuration of a trust anchor for .gov is no longer strictly necessary. Instead, recursive name server operators who want to validate signed DNS information in the .gov domain should configure the root zone's KSK as a trust anchor rather than the .gov zone's KSK.

Because there will be no non-DNS-based mechanism to authenticate subsequent .gov KSKs, configuration of the .gov KSK as a trust anchor is not recommended.

Recommendations

If you have previously configured a trust anchor for .gov, take these steps to reconfigure your recursive name servers or all resolution of .gov names will likely fail after January 31, 2011:

If your recursive name servers do not have a trust anchor for the root zone configured, configure the root zone's KSK as a trust anchor. An authenticated version of the root zone's KSK is available at http://data.iana.org/root-anchors/. Pointers to more detailed information on this configuration for the BIND and Unbound recursive name servers may be found below.
If your recursive name servers have a trust anchor for the .gov zone configured, remove the .gov zone's KSK as a trust anchor from your name server's configuration.

If you follow both steps above, your recursive name servers should continue to validate names in .gov, but the .gov KSK will be authenticated via the signed root's KSK rather than a locally configured trust anchor.

Recursive name server trust anchor configuration details

For information about configuring the root zone's KSK as a trust anchor in the BIND recursive name server, please see this web page provided by the BIND developers:

https://www.isc.org/blogs/using-the-root-dnssec-key-in-bind-9-resolvers/

For information about configuring the root zone's KSK as a trust anchor in the Unbound recursive name server, please see this web page provided by the Unbound developers:

http://www.unbound.net/documentation/howto_anchor.html

More information

If you have any questions or comments, please send email to registrar@dotgov.gov.