As many of you know already, Kirei - as part of the Root DNSSEC Design Team, and on behalf of ICANN - has a central role in implementing DNSSEC for the Root Zone. The team, consisting of a group of Internet and security experts from ICANN, VeriSign and Kirei, has been working closely together with the primary objective of implementing a stable and secure solution for DNSSEC at the Root Zone ready by July 2010.

For the last 10 months, we’ve been working on a number of important issues, including:

  • Designing the overall system- and security architecture of the signer and key management system based on the requirements from U.S. Department of Commerce, National Telecommunications and Information Administration (DoC/NTIA).
  • Drafting the DNSSEC Practice Statement (DPS) for the KSK and ZSK holder (i.e. ICANN and VeriSign, respectively), and publishing of a DPS framework for other registries to benefit from
  • Communicating the progress and gather feedback from the community
  • Establishing of Trust anchor publication mechanisms
  • Increasing transparency and community trust by introduction of the Trusted Community Representatives into the signing process
  • Defining physical security controls and requirements for the KSK operators facilities
  • Preparation to undergo a SysTrust examination of the Root Zone KSK Operator function
  • Work out key ceremonies, testing of the scripts and carry out rehearsals
  • Develop deployment plans and interface with the root server operators
  • Perform testing of resolver implementations

Kirei is very proud to be part of this landmark project and believe that a signed root is an important step for improving the security of the DNS infrastructure.

For more information about DNSSEC for the Root Zone, please visit the website at