Updated Certificates for DNSSEC Trust Anchor Validation

29 May 2026

IANA has published a new Certificate Authority (CA) certificate that is used for validating the authenticity of the DNS root zone trust anchors file.

This impacts those who verify the integrity of the DNS root zone trust anchors file (root-anchors.xml) using the detached signatures. Signatures chaining to the new certificate are expected to be published in 2028 at which time relying parties must validate using the new certificate.

Both the current and new certificates are available at https://data.iana.org/root-anchors/icannbundle.pem.

Considerations for updating the trust anchor are described in DNSSEC Trust Anchor Publication for the Root Zone (RFC 9718).