ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be the first time the KSK has been changed since it was initially generated in 2010. It is an important security step, in much the same way that regularly changing passwords is considered good practice by any Internet user.
Changing the key involves generating a new cryptographic key pair and distributing the new public component to all DNSSEC-validating resolvers globally. This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.
Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.
Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover.
Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.
Who needs to take action?Network operators using DNSSEC-validating resolvers must update their systems with the new KSK to help ensure trouble-free Internet access for users.
It is worth checking and testing systems prior to the KSK rollover to confirm what action will be required. ICANN is providing a free testbed for operators to help you determine whether your systems can handle automated updates correctly. APNIC will be contacting all its Members to advise of the KSK rollover, and provide information and resources to assist Members in taking appropriate action.
There is more information on how to update resolvers with the new KSK on the ICANN website.
Important datesThe KSK rollover will occur over several months. Systems can be updated at any time after the new KSK is published.
|27 October 2016||KSK rollover process begins as the new KSK is generated.|
|11 July 2017||Publication of new KSK in DNS.|
|19 September 2017||Size increase for DNSKEY response from root name servers.|
|1 February 2018||Public comment period for plan to resume the KSK rollover begins, ends 2 April 2018.|
|23 April 2018||Staff report on the Draft Plan Comments published.|
|13 May 2018||ICANN Board requests RSSAC, SSAC and RZERC advice on Draft Plan.|
|11 October 2018||KSK rollover (subject to change based on operational considerations).|
|11 January 2019||Proposed date for the old KSK being revoked.|
LinksICANN automated trust anchor update testbed
How to test if DNS validating resolvers are using the latest trust anchor (ICANN)
How to update DNS validating resolvers with the latest trust anchor (ICANN)
Presentations2017 DNSSEC KSK Rollover, Ed Lewis (ICANN)
Rolling the Root, Geoff Huston
Other resourcesAPNIC Labs DNSSEC measurement
How to get helpIf you need technical support, your DNS software provider is the best place to start. Below is support information for some of the popular providers.
NLnet Labs Unbound
Secure64 DNS Signer
Ask a Question
Send an email to firstname.lastname@example.org with "KSK Rollover" in the subject line to submit your questions.