‹ Back
Deploy360 16 October 2014

Root DNSSEC KSK Rollover Workshop Streaming Live Today From ICANN 51

Dan York
By Dan YorkDirector, Online Content
ICANN 51 Los Angeles

Today (Oct 16, 2014) from 9:00 am to 12 noon US Pacific, a special public workshop about implications of a “rollover” of the “Root Key Signing Key (KSK)” that serves as the ultimate “trust anchor” for DNSSEC will be streamed live from ICANN 51 in Los Angeles. Information about how to participate remotely can be found at:


(Note: the times on that page have not yet been updated.  The workshop will be from 09:00-12:00, although it may extend later if discussions continue.  It will definitely conclude by no later than 13;30 PDT.)

ICANN Chief Technology Officer (CTO) David Conrad has organized this public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.

The public workshop is aimed to be a discussion forum to collect guidance from a wide range of people.  An adhoc program committee was established of Joe Abley, Duane Wessels, Roy Arends, Jakob Schlyter, David Conrad and myself.  I was asked to act as a moderator to ensure that the flow moves appropriately and that all get to contribute.  The proposed agenda is:


A brief level setting of why the workshop has been called, where we are at in the process (ICANN public consultation in early 2013, SSAC report, ICANN Board resolution in Nov 2013), and what we hope to do in the workshop.  (See my recent “Background Information” post for links for more info.)

2. HOW a Root KSK Rollover might occur

We would like to discuss how an automated (RFC5011) would occur as well as non-5011 roll options and options for a staggered roll.  Joe Abley will discuss a couple of relevant Internet Drafts.

3. WHAT a Root KSK Rollover might involve

We would like to discuss what changes might be made during a Root KSK Rollover. Specifically two points:

  a. ALGORITHM CHANGE – Geoff Huston will give a presentation about potential impacts of a change of the algorithm. (Geoff also presented this information about the DNS-OARC meeting this past weekend.)

  b. Length of KSK – There has been some discussion about changing the length of ZSKs and KSKs and moving to longer key sizes.  We would like a discussion around this idea and the potential impacts.


Discussion of additional implications beyond those discussed earlier.  For instance, issues around response sizes.

5. POTENTIAL TIMELINE (unanchored)

We would like to discuss what a potential timeline might look like for the entire process.  The intent is NOT to establish a fixed date but rather to establish what a timeline might look like for the full process to take place.


We want to spend the end of the session identifying specific steps and actions that will occur coming out of this workshop.

If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?


‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world