ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be the first time the KSK has been changed since it was initially generated in 2010. It is an important security step, in much the same way that regularly changing passwords is considered good practice by any Internet user.
Changing the key involves generating a new cryptographic key pair and distributing the new public component to all DNSSEC-validating resolvers globally. This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.
Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.
Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover.
Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.
Who needs to take action?Network operators using DNSSEC-validating resolvers must update their systems with the new KSK to help ensure trouble-free Internet access for users.
- If your organization is performing DNSSEC validation, and your software supports automatic updates of DNSSEC trust anchors (RFC 5011) then the KSK will be updated automatically at the appropriate time. You may not need to take any additional action, however some devices may require manual intervention.
- If your organization is performing DNSSEC validation, and your software does not support automatic updates of DNSSEC trust anchors (RFC 5011) or is not configured to use it, then manual updates of the software’s trust anchor file will be required.
Important datesThe KSK rollover will occur over several months. Systems can be updated at any time after the new KSK is published.
|11 July 2017||New KSK published in DNS|
|19 September 2017||Size increase for DNSKEY response from root name servers|
|11 October 2017||New KSK begins to sign the root zone key set (the actual rollover event)|
|11 January 2018||Revocation of old KSK|
|22 March 2018||Last day the old KSK appears in the root zone|
|August 2018||Old key is deleted from equipment in both ICANN Key Management Facilities|
LinksICANN automated trust anchor update testbed
How to test if DNS validating resolvers are using the latest trust anchor (ICANN)
How to update DNS validating resolvers with the latest trust anchor (ICANN)
Presentations2017 DNSSEC KSK Rollover, Ed Lewis (ICANN)
Rolling the Root, Geoff Huston
Other resourcesAPNIC Labs DNSSEC measurement
How to get helpIf you need technical support, your DNS software provider is the best place to start. Below is support information for some of the popular providers.
NLnet Labs Unbound
Secure64 DNS Signer
Ask a Question
Send an email to firstname.lastname@example.org with "KSK Rollover" in the subject line to submit your questions.