<!doctype html> <html> <head> <title>DNSSEC Practice Statement</title> <meta charset="utf-8" /> <meta http-equiv="Content-type" content="text/html; charset=utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" href="/_css/2022/iana_website.css"/> <link rel="shortcut icon" type="image/ico" href="/_img/bookmark_icon.ico"/> <script type="text/javascript" src="/_js/jquery.js"></script> <script type="text/javascript" src="/_js/iana.js"></script> </head> <body> <header> <div id="header"> <div id="logo"> <a href="/"><img src="/_img/2022/iana-logo-header.svg" alt="Homepage"/></a> </div> <div class="navigation"> <ul> <li><a href="/domains">Domains</a></li> <li><a href="/protocols">Protocols</a></li> <li><a href="/numbers">Numbers</a></li> <!-- <li><a href="/news">News</a></li>--> <li><a href="/about">About</a></li> </ul> </div> </div> </header> <div id="body"> <article class="hemmed sidenav"> <main> <h1>Policies and Procedures</h1> <h2>DNSSEC Practice Statements</h2> <p>The DNSSEC Practice Statements represent the adopted policies against which the cryptographic keys for the DNS root zone are managed.</p> <table class="iana-table"> <thead> <tr> <th>Document</th> <th>Effective Date</th> </tr> </thead> <tr> <td><a href="/dnssec/procedures/ksk-operator/ksk-dps-20240315.html">Root Zone KSK Operator 7th Ed</a> (IANA Functions)</td> <td>2024-03-15</td> </tr> <tr> <td><a href="/dnssec/procedures/zsk-operator/dps-zsk-operator-v2.1.pdf">Root Zone ZSK Operator v2.1</a> (Root Zone Maintainer)</td> <td>2018-12-21</td> </tr> </table> <h2>Additional Procedures</h2> <p>The requirements of the DNSSEC Practice Statements are implemented by a series of policies and procedural documents. These documents are reviewed annually by the Root Zone KSK Policy Management Authority.</p> <table class="iana-table"> <thead> <tr> <th class="avoid-break">Title&nbsp;of&nbsp;Document</th> <th>Description</th> </tr> </thead> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Audit_and_Accountability_Policy_v3.6.pdf">KSK Audit and Accountability Policy v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes access to Key Management Facilities (KMFs) and operations involving the private component of the RZ KSK to remain traceable in time including the responsible party triggering the event.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Audit_Logging_Procedure_v3.6.pdf">KSK Audit Logging Procedure v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes recording access to Key Management Facilities (KMFs) and operations involving the private component of the RZ KSK including the parties involved and operations performed when access to a KMF or RZ KSK occurred.</td> </tr> <tr> <td class="avoid-break"><a href="/dnssec/procedures/ksk-operator/KSK_Disaster_Recovery_and_Business_Continuity_Procedure_v3.7.pdf">KSK Disaster Recovery and Business Continuity<br/>Procedure v3.7</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes requirements and recommendations to be performed by designated personnel, systems, and other means in disaster recovery scenarios in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Document_Management_Procedure_v3.6.pdf">KSK Document Management Procedure v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes the life cycle of supporting documents in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Emergency_Rollover_Plan_v3.6.pdf">KSK Emergency Rollover Plan v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes emergency RZ KSK rollovers in relation to RZ KSK operations, initiated if the RZ KSK Private Key has been irrecoverably lost or compromised.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Incident_Handling_Procedure_v3.6.pdf">KSK Incident Handling Procedure v3.6</a> <div class="cell-secondary">Effective 2024-03-15</div> </td> <td>Describes requirements and recommendations for handling security incidents, or events that could potentially be security incidents in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Information_Security_Policy_v3.6.pdf">KSK Information Security Policy v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes the establishment of preventive controls and measures for the identification, management, and monitoring of threats (whether internal or external, deliberate or accidental) to the information assets in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Key_Management_Policy_v3.7.pdf">KSK Key Management Policy v3.7</a> <div class="cell-secondary">Effective 2024-03-15</div> </td> <td>Describes risks associated with the management of cryptographic keys, proper mitigation of risks to an acceptable level, and the management and maintenance of this level of risk over time in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Key_Management_Procedure_v3.7.pdf">KSK Key Management Procedure v3.7</a> <div class="cell-secondary">Effective 2024-03-15</div> </td> <td>Describes requirements and recommendations for procedures to be performed by designated personnel, systems, and other means in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Password_Policy_v3.6.pdf">KSK Password Policy v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes requirements for managing passwords and personal identification numbers (PINs) in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Personnel_Security_Policy_v3.6.pdf">KSK Personnel Security Policy v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes responsibilities of staff, contractors, and third-party users to ensure understanding and suitability for the roles in which they are considered in relation to RZ KSK operations and seeks to mitigate risk from internal threats such as sabotage, espionage, denial of service, and in extreme cases, terrorism.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Physical_Access_Control_Procedure_v3.6.pdf">KSK Physical Access Control Procedure v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes responsibilities and provides recommendations to be performed by designated personnel, systems, and other means in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Physical_Security_Policy_v3.6.pdf">KSK Physical Security Policy v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes risks associated with physical security, proper mitigation of risks to an acceptable level, and the management and maintenance of this level of risk over time in relation to KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_PMA_Charter_v3.6.pdf">KSK PMA Charter v3.6</a> <div class="cell-secondary">Effective 2024-03-15</div> </td> <td>Describes the structure and responsibility of the PMA and PMA members' roles and responsibilities in relation to RZ KSK operations.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Software_Maintenance_Procedure_v3.6.pdf">KSK Software Maintenance Procedure v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes the parameters of the key management software used by the RZ KSK Operator to create and maintain KSKs and to process Key Signing Requests (KSRs) submitted by the Zone Signing Key (ZSK) operator.</td> </tr> <tr> <td><a href="/dnssec/procedures/ksk-operator/KSK_Termination_Plan_v3.6.pdf">KSK Termination Plan v3.6</a> <div class="cell-secondary">Effective 2024-09-12</div> </td> <td>Describes a high-level plan for terminating and transferring the roles and responsibilities of the RZ KSK Operator to a successor.</td> </tr> </table> </main> <nav id="sidenav"> <div class="navigation_box"> <h2>Domain Names</h2> <ul> <li id="nav_dom_top"><a href="/domains">Overview</a></li> <li id="nav_dom_root"><a href="/domains/root">Root Zone Management</a></li> <ul id="nav_dom_root_sub"> <li id="nav_dom_root_top"><a href="/domains/root">Overview</a></li> <li id="nav_dom_root_db"><a href="/domains/root/db">Root Database</a></li> <li id="nav_dom_root_files"><a href="/domains/root/files">Hint and Zone Files</a></li> <li id="nav_dom_root_manage"><a href="/domains/root/manage">Change Requests</a></li> <li id="nav_dom_root_procedures"><a href="/domains/root/help">Instructions &amp; Guides</a></li> <li id="nav_dom_root_servers"><a href="/domains/root/servers">Root Servers</a></li> </ul> <li id="nav_dom_int"><a href="/domains/int">.INT Registry</a></li> <ul id="nav_dom_int_sub"> <li id="nav_dom_int_top"><a href="/domains/int">Overview</a></li> <li id="nav_dom_int_manage"><a href="/domains/int/manage">Register/modify an .INT domain</a></li> <li id="nav_dom_int_policy"><a href="/domains/int/policy">Eligibility</a></li> </ul> <li id="nav_dom_arpa"><a href="/domains/arpa">.ARPA Registry</a></li> <li id="nav_dom_idn"><a href="/domains/idn-tables">IDN Practices Repository</a></li> <ul id="nav_dom_idn_sub"> <li id="nav_dom_idn_top"><a href="/domains/idn-tables">Overview</a></li> <!-- <li id="nav_dom_idn_tables"><a href="/domains/idn-tables/db">Tables</a></li> --> <li id="nav_dom_idn_submit"><a href="/procedures/idn-repository.html">Submit a table</a></li> </ul> <li id="nav_dom_dnssec"><a href="/dnssec">Root Key Signing Key (DNSSEC)</a></li> <ul id="nav_dom_dnssec_sub"> <li id="nav_dom_dnssec_top"><a href="/dnssec">Overview</a></li> <li id="nav_dom_dnssec_ksk"><a href="/dnssec/files">Trust Anchors and Rollovers</a></li> <li id="nav_dom_dnssec_ceremonies"><a href="/dnssec/ceremonies">Key Signing Ceremonies</a></li> <li id="nav_dom_dnssec_dps"><a href="/dnssec/procedures">Policies &amp; Procedures</a></li> <li id="nav_dom_dnssec_tcrs"><a href="/dnssec/tcrs">Community Representatives</a></li> <li id="nav_dom_dnssec_archive"><a href="/dnssec/archive">Project Archive</a></li> </ul> <li id="nav_dom_special"><a href="/domains/reserved">Reserved Domains</a></li> </ul> </div> </nav> </article> </div> <footer> <div id="footer"> <table class="navigation"> <tr> <td class="section"><a href="/domains">Domain&nbsp;Names</a></td> <td class="subsection"> <ul> <li><a href="/domains/root">Root Zone Registry</a></li> <li><a href="/domains/int">.INT Registry</a></li> <li><a href="/domains/arpa">.ARPA Registry</a></li> <li><a href="/domains/idn-tables">IDN Repository</a></li> </ul> </td> </tr> <tr> <td class="section"><a href="/numbers">Number&nbsp;Resources</a></td> <td class="subsection"> <ul> <li><a href="/abuse">Abuse Information</a></li> </ul> </td> </tr> <tr> <td class="section"><a href="/protocols">Protocols</a></td> <td class="subsection"> <ul> <li><a href="/protocols">Protocol Registries</a></li> <li><a href="/time-zones">Time Zone Database</a></li> </ul> </td> </tr> <tr> <td class="section"><a href="/about">About&nbsp;Us</a></td> <td class="subsection"> <ul> <li><a href="/performance">Performance</a></li> <li><a href="/reports">Reports</a></li> <li><a href="/reviews">Reviews</a></li> <li><a href="/about/excellence">Excellence</a></li> <!-- <li><a href="/news">News</a></li>--> <li><a href="/contact">Contact Us</a></li> </ul> </td> </tr> </table> <div id="custodian"> <p>The IANA functions coordinate the Internet鈥檚 globally unique identifiers, and are provided by <a href="http://pti.icann.org">Public Technical Identifiers</a>, an affiliate of <a href="http://www.icann.org/">ICANN</a>.</p> </div> <div id="legalnotice"> <ul> <li><a href="https://www.icann.org/privacy/policy">Privacy Policy</a></li> <li><a href="https://www.icann.org/privacy/tos">Terms of Service</a></li> </ul> </div> </div> </footer> <script> $(document).ready(function() { $("#nav_dom_idn_sub").hide() $("#nav_dom_root_sub").hide() $("#nav_dom_int_sub").hide() $("#nav_dom_tools_sub").hide() $("#nav_dom_dnssec").addClass("selected") $("#nav_dom_dnssec_dps").addClass("selected") }); </script> </body> </html>