‹ Back
Deploy360 14 November 2013

Should The Root DNSSEC Key Be Rolled? ICANN's SSAC Issues Some Guidance

Dan York
By Dan YorkDirector, Online Content

ICANN SSAC 63Should the root key of DNSSEC be rolled over?  And if so, when and under what conditions?  We’ve mentioned this discussion before and even sent in our own comments to ICANN.  After reviewing all those comments and consulting with many people, the ICANN Security and Stability Advisory Committee (SSAC) has now issued their guidance in a document, “SAC063 – SSAC Advisory on DNSSEC Key Rollover in the Root Zone“.  The document is well worth a read and explains SSAC’s thinking on a variety of issues.  For a quick summary, SSAC issued five recommendations that I would paraphrase as:

1:  ICANN and partners should immediately undertake a worldwide communications effort to publicize the root zone KSK rollover motivation and process as widely as possible.

2: ICANN staff should coordinate a testing program to analyze the behavior of validating resolvers to identify problems that could be caused the the root KSK rollover.

3: ICANN staff and the community should identify clear and objective metrics for acceptable levels of “breakage” resulting from a key rollover.

4: ICANN staff should coordinate the development of rollback procedures to be executed in case things go wrong.

5: ICANN staff should coordinate the collection of information during this KSK rollover so that lessons can be learned for future rollovers.

This SSAC report is issued in time for next week’s ICANN 48 meeting in Buenos Aires where this topic will again be in the conversation within DNSSEC circles.  ICANN has contractual requirements to roll the key within five years of the signing of the root in July 2010 and so efforts are underway to make sure this can be done in a sensible manner.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world