New root hints file, and validating DNSSEC-signed zones

A new version of the root zone hints file has been published, and has been updated with a copy. The substantive change is the addition of an IPv6 address for As usual with such changes, there is little urgency to update your copies.

The rest of this posting is about validating DNSSEC-signed zones.

ICANN have held their first "key signing ceremony" and appear to be on target to sign the root zone on Thursday 15 July. See for details. We expect to be including a trust anchor for the signed root zone on the CUDN central recursive nameservers ( and shortly after it is available.

If you are operating a validating nameserver, there are issues about the supported signing algorithms. There are currently three important ones:

Mnemonic    Code    Supported by    Can be used with which
                  BIND versions[1]    negative responses

RSASHA1        5       9.4          Only zones using NSEC
NSEC3RSASHA1   7       9.6          Zones using NSEC or NSEC3[2]
RSASHA256      8    9.6.2 or 9.7    Zones using NSEC or NSEC3

[1] or later.

[2] but as NSEC3RSASHA1 is otherwise identical to RSASHA1, it is almost invariably used with zones using NSEC3 records.

Zones signed only with algorithms unsupported by particular software will be treated by them as unsigned.

Only RSASHA1 is officially mandatory to support according to current IETF standards, but as the intention is to sign the root zone with RSASHA256, it will become effectively mandatory as well. (Other organisations are already assuming this. For example, Nominet have signed the "uk" top-level domain using RSASHA256, although they do not intend to publish a trust anchor for it other than by having a signed delegation in the root zone.)

Therefore, if you want to be able to use a trust anchor for the root zone you will need software that supports the RSASHA256 algorithm, e.g. BIND versions 9.6.2 / 9.7 or later. As an aid for checking this, the test zone is now signed using RSASHA256. For details on how to test, see

There are no immediate plans to change the algorithm used to sign our production DNS zones from RSASHA1.