Hello Everyone, As many of you may know, one of the functions of the Internet Assigned Numbers Authority (IANA) is the global coordination of the DNS Root Zone. One of the core components to DNS is DNSSEC. The Root Key Signing Key (KSK) acts as the trust anchor for DNSSEC for the Domain Name System, and this trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data. This is how your DNS servers are able to cryptographically validate the authenticity of DNS records they receive and serve. For more information pertaining to DNSSEC, how it operates, the KSK and the relevant policies and procedures, I recommend visiting https://www.iana.org/dnssec for more info. In order to ensure the security of the KSK, IANA utilises Hardware Security Modules (HSM) to generate the KSK pair of public and private keys, which in turn are used to sign the Zone Signing Key (ZSK), that itself is used to sign DNS records (RRsets) within a DNS zone. As it currently stands, both of these HSMs currently reside in high-security Key Management Facilities (KMFs) in the USA, with one facility located in Culpeper VA, and the other in El Segundo CA. Now, while the locations of these HSMs are highly secure, both of them are located on US soil. As most people who are familiar with redundancy, this is not a good idea for a number of reasons (which I won't go into detail here as it's outside the scope of this email). What we as a community MUST DO, is look at the relocation of one of these HSMs to an alternate country such as Singapore or Switzerland (regarded as two safe countries) to ensure the continued integrity of the Root KSK. Unfortunately, section 4.2(b) of the IANA Naming Function Contract (https://pti.cdn.icann.org/resources/151/IANA_Naming_Function_Contract.pdf) between the Internet Corporation for Assigned Names and Numbers (ICANN) and Public Technical Identifiers (PTI) that govern how IANA performs its functions prohibits the operation of functions outside of the US. Given that the Internet is one of the most critical pieces of global (and not just US-based) infrastructure, I feel that this section of the contract must be reviewed (and deleted or modified to allow for PTI to perform the functions from Singapore, Switzerland or another safe jurisdiction) to maintain the integrity of the Domain Name System. The Second IANA Naming Function Review Team (IFRT2) have released an initial draft report of its analysis, issues and recommendations which also incorporates a review of the Contract between ICANN and PTI. The IFRT2 have opened a public call for comments on the draft report, before they submit their Final Report to ICANN's Board of Directors which they expect to do before June this year. The Public Comment period closes for submissions on 28 April 2025 at 23:59hrs UTC, and I strongly encourage everyone to read the report and provide input regarding support to relocating one of the Key Management Facilities across the Pacific or Atlantic Oceans. To view the report and submit a comment, please go to https://www.icann.org/en/public-comment/proceeding/second-iana-naming-functi.... In order to submit a comment on the report, you will need an account on https://account.icann.org/. In closing, I cannot stress one thing enough - this is in no way speaks to the professionalism of ICANN's staff. The team at ICANN perform some of the hardest work out there, ensuring the integrity and stability of the Internet as we know it today and for that they cannot be thanked enough. This recommendation to move one of the KMFs overseas is simply to help protect it from potential political instability, bias, and to encourage neutralism. We're already doing it with the operation of the DNS Root Zone, let's take it one step further and strengthen the security of DNSSEC and the Root KSK. If you have any questions, please do feel free to ask, either on-list or off-list. Regards, Christopher Hawker