Donate
ICANN seeking public comment on Root KSK rollover process for DNSSEC Thumbnail
‹ Back
Domain Name System (DNS) 6 March 2018

ICANN seeking public comment on Root KSK rollover process for DNSSEC

Kevin Meynell
By Kevin MeynellManager, Technical and Operational Engagements

On 11 October 2018, should ICANN roll the Root Key Signing Key (KSK) that is at the heart of DNSSEC? ICANN is planning to restart the rollover process for the Root KSK and is therefore seeking public review of their new plan.  It includes more publicity about the need to be prepared for the rollover, and analysis of data indicating the level of preparedness.

The Plan for Continuing the Root KSK Rollover describes how ICANN intends to roll the root key signing key (KSK), and is based on input from the technical community following their decision to postpone the rollover last year.

Further input is requested by 2 April 2018. This will be used to prepare a final plan that will be presented to the ICANN Board for approval. ICANN is seeking public comments and we encourage you to read the plan and submit your views.

Learn how to submit your comments to ICANN

The Root KSK was originally planned to be rolled over on 11 October 2017, but ICANN postponed the rollover due to collected data that showed that a significant number of resolvers used by network operators were not ready for this. This meant that significant sections of the Internet could experience issues with resolving DNSSEC-signed domains following the rollover, so it was considered prudent to wait and reach out to affected network operators.

ICANN manages the Root Key Signing Key (KSK) that acts as the trust anchor for DNSSEC in the global Domain Name System. This key is used to sign the VeriSign-managed Root Zone Signing Key (ZSK) that validates the Top-Level Domains (TLDs). The Root KSK needs to be configured in DNSSEC-aware resolvers to allow validation of the chain-of-trust, and by extension all cryptographically-secured records in the DNS.

The current Root KSK has been used since the DNS Root Zone was first signed in 2010, and it’s good practice to change keys periodically. ICANN wanted to attempt this rollover under normal rather than comprised conditions, so it was not imperative that the rollover happened as planned in 2017, and clearly sufficient DNSSEC resolvers need to have the new trust anchor configured if this process is to be a smooth undertaking.

RFC 8145 (“Signaling Trust Anchor Knowledge”) was published in April 2017, and specifies how recursive name servers can signal to authoritative servers, the trust anchors that they have configured for their DNSSEC validation. This was implemented by both Unbound and BIND shortly afterwards, and as organisations began to deploy the new software versions, some of this “key tag data” started appearing in queries to the root name servers. This is useful information for the KSK rollovers, especially for the root, but it would seem that the number of recursive name servers providing this data was not as high as one might like for the planned root KSK rollover last year.

Further Information

For more information on DNSSEC and how to deploy it, please see our Start Here page for more information!

‹ Back

Related articles

ICANN Seeking Comment on DNSSEC Root Key Rollover Process
Deploy3602 April 2013

ICANN Seeking Comment on DNSSEC Root Key Rollover Process

When should ICANN roll over the root Key Signing Key (KSK) that is at the core of the DNSSEC global...

ICANN busca comentarios públicos sobre el proceso de cambio la Clave para la firma de la llave de la zona raíz (KSK) para DNSSEC
ICANN busca comentarios públicos sobre el proceso de cambio la Clave para la firma de la llave de la zona raíz (KSK) para DNSSEC
Deploy3606 March 2018

ICANN busca comentarios públicos sobre el proceso de cambio la Clave para la firma de la llave de la zona raíz (KSK) para DNSSEC

On 11 October 2018, should ICANN roll the Root Key Signing Key (KSK) that is at the heart of DNSSEC? ICANN is planning to restart the rollover process for the Root KSK and is therefore seeking public review of their new plan. It includes more publicity about the need to be prepared for the rollover, and analysis of data indicating the level of preparedness.

ICANN Postpones DNSSEC Root KSK Rollover - October 11 will NOT be the big day
ICANN Postpones DNSSEC Root KSK Rollover - October 11 will NOT be the big day
Domain Name System Security Extensions (DNSSEC)28 September 2017

ICANN Postpones DNSSEC Root KSK Rollover – October 11 will NOT be the big day

People involved with DNS security no longer have to be focused on October 11. News broke yesterday that ICANN has...

Join the conversation with Internet Society members around the world