| || |
Welcome to the .gov trust anchor web site.
This web page had previously published the .gov key-signing key (KSK) and recommended configuring the .gov KSK as a trust anchor on recursive name servers. With this configuration, the recursive name server would be able to validate digitally signed DNS information in the .gov domain.
As of 31 January 2011, configuring the .gov KSK as a trust anchor in recursive name servers is no longer required.
The operator of the .gov domain name registry has changed: Verisign has been selected by the U.S. General Services Administration (GSA) to operate the domain name registry for .gov. As part of the operator transition, the .gov KSK has changed: a KSK roll for the .gov zone occurred on 31 January, 2011.
Any recursive name server with a .gov KSK configured as a trust anchor requires a change to its trust anchor configuration.
The new .gov KSK is not published in an authenticated manner outside DNS (e.g., on an SSL-protected web page such as this one). Rather, the mechanism for trusting the new .gov KSK is via the signed DNS root zone: DS records corresponding to the new .gov KSK are already present in the root zone.
Because the root zone has had DS records corresponding to the current .gov KSK since 27 October 2010, static configuration of a trust anchor for .gov is no longer strictly necessary. Instead, recursive name server operators who want to validate signed DNS information in the .gov domain should configure the root zone's KSK as a trust anchor rather than the .gov zone's KSK.
Because there will be no non-DNS-based mechanism to authenticate subsequent .gov KSKs, configuration of the .gov KSK as a trust anchor is not recommended.
If you have previously configured a trust anchor for .gov, take these steps to reconfigure your recursive name servers or all resolution of .gov names will likely fail after January 31, 2011:
If you follow both steps above, your recursive name servers should continue to validate names in .gov, but the .gov KSK will be authenticated via the signed root's KSK rather than a locally configured trust anchor.
Recursive name server trust anchor configuration details
For information about configuring the root zone's KSK as a trust anchor in the BIND recursive name server, please see this web page provided by the BIND developers:
For information about configuring the root zone's KSK as a trust anchor in the Unbound recursive name server, please see this web page provided by the Unbound developers:
If you have any questions or comments, please send email to email@example.com.