DNS Root Zone KSK Rollover

ICANN has postponed the DNS Root Zone KSK Rollover. The KSK rollover was due to occur on 11 October 2017. This will now be delayed to allow more time for network operators using DNSSEC-validating resolvers to update their systems with the new KSK.

ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be the first time the KSK has been changed since it was initially generated in 2010. It is an important security step, in much the same way that regularly changing passwords is considered good practice by any Internet user.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to all DNSSEC-validating resolvers globally. This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.

Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover.

Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

Who needs to take action?

Network operators using DNSSEC-validating resolvers must update their systems with the new KSK to help ensure trouble-free Internet access for users.

  • If your organization is performing DNSSEC validation, and your software supports automatic updates of DNSSEC trust anchors (RFC 5011) then the KSK will be updated automatically at the appropriate time. You may not need to take any additional action, however some devices may require manual intervention.
  • If your organization is performing DNSSEC validation, and your software does not support automatic updates of DNSSEC trust anchors (RFC 5011) or is not configured to use it, then manual updates of the software’s trust anchor file will be required.
In either case, it is worth checking and testing systems prior to the KSK rollover to confirm what action will be required. ICANN is providing a free testbed for operators to help you determine whether your systems can handle automated updates correctly. APNIC will be contacting all its Members to advise of the KSK rollover, and provide information and resources to assist Members in taking appropriate action.

Important dates

The KSK rollover will occur over several months. Systems can be updated at any time after the new KSK is published.

11 July 2017 New KSK published in DNS
19 September 2017 Size increase for DNSKEY response from root name servers
11 October 2017 New KSK begins to sign the root zone key set (the actual rollover event)
11 January 2018 Revocation of old KSK
22 March 2018 Last day the old KSK appears in the root zone
August 2018 Old key is deleted from equipment in both ICANN Key Management Facilities

Learn more