ICANN seeking public comment on Root KSK rollover process for DNSSEC Thumbnail
Domain Name System (DNS) 6 March 2018

ICANN seeking public comment on Root KSK rollover process for DNSSEC

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

On 11 October 2018, should ICANN roll the Root Key Signing Key (KSK) that is at the heart of DNSSEC? ICANN is planning to restart the rollover process for the Root KSK and is therefore seeking public review of their new plan.  It includes more publicity about the need to be prepared for the rollover, and analysis of data indicating the level of preparedness.

The Plan for Continuing the Root KSK Rollover describes how ICANN intends to roll the root key signing key (KSK), and is based on input from the technical community following their decision to postpone the rollover last year.

Further input is requested by 2 April 2018. This will be used to prepare a final plan that will be presented to the ICANN Board for approval. ICANN is seeking public comments and we encourage you to read the plan and submit your views.

Learn how to submit your comments to ICANN

The Root KSK was originally planned to be rolled over on 11 October 2017, but ICANN postponed the rollover due to collected data that showed that a significant number of resolvers used by network operators were not ready for this. This meant that significant sections of the Internet could experience issues with resolving DNSSEC-signed domains following the rollover, so it was considered prudent to wait and reach out to affected network operators.

ICANN manages the Root Key Signing Key (KSK) that acts as the trust anchor for DNSSEC in the global Domain Name System. This key is used to sign the VeriSign-managed Root Zone Signing Key (ZSK) that validates the Top-Level Domains (TLDs). The Root KSK needs to be configured in DNSSEC-aware resolvers to allow validation of the chain-of-trust, and by extension all cryptographically-secured records in the DNS.

The current Root KSK has been used since the DNS Root Zone was first signed in 2010, and it’s good practice to change keys periodically. ICANN wanted to attempt this rollover under normal rather than comprised conditions, so it was not imperative that the rollover happened as planned in 2017, and clearly sufficient DNSSEC resolvers need to have the new trust anchor configured if this process is to be a smooth undertaking.

RFC 8145 (“Signaling Trust Anchor Knowledge”) was published in April 2017, and specifies how recursive name servers can signal to authoritative servers, the trust anchors that they have configured for their DNSSEC validation. This was implemented by both Unbound and BIND shortly afterwards, and as organisations began to deploy the new software versions, some of this “key tag data” started appearing in queries to the root name servers. This is useful information for the KSK rollovers, especially for the root, but it would seem that the number of recursive name servers providing this data was not as high as one might like for the planned root KSK rollover last year.

Further Information

For more information on DNSSEC and how to deploy it, please see our Start Here page for more information!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...