Logo
ICANN
ICANN
Filtered Search

Are you sure you want to sign out from http://www.icann.org?

If you want to sign out from both http://www.icann.org and ICANN Account, click here.

ICANN Announcements

Read ICANN Announcements to stay informed of the latest policymaking activities, regional events, and more.

ICANN to Generate New DNS Cryptographic Key at April 2024 Ceremony

28 February 2024

The Internet Corporation for Assigned Names and Numbers (ICANN) is pleased to announce plans to generate a new root zone key signing key (KSK) used by the Domain Name System Security Extensions (DNSSEC). DNSSEC ensures that the information received from the DNS about a domain name is authentic. It helps make the Internet safer for its users.

Generating a new KSK restarts the process announced last year, which was suspended after it was identified that a supplier of key equipment used to store the KSK (known as a Hardware Security Module, or HSM) would be exiting the business during the expected lifespan of the new KSK. Throughout last year, through the Internet Assigned Numbers Authority (IANA) functions, several alternate vendors of HSMs were evaluated and a replacement was selected. An analysis of the selection and its impact accompanies this announcement.

Generating the new key is slated for 26 April 2024 as part of the 53rd KSK Ceremony. The key will be replicated to an alternate facility in the third quarter of 2024. IANA anticipates pre-publishing the key in the DNS starting in January 2025. It will be held in standby for about two years prior to being placed into production use in late 2026. During that time, ICANN will conduct an extensive outreach campaign to enable a seamless transition to the new key for the global Internet community.

The first time a key changed, an event referred to as a rollover, was in 2018. This rollover was considered a success, and followed several years of consultation, design, and testing. The new key generated by the event this April is the first step in the next iteration of that plan.

To learn more, visit the dedicated webpage.

The security and stability of the DNS requires the capability to change keys. Rollovers of the Root KSK, which is the process of replacing one key with another, help exercise these mechanisms to ensure operational readiness.

The new key will use the same cryptographic algorithm and key size that is used currently. A separate project is underway to design the process for changing the cryptographic algorithm used to sign the root zone. This will inform future changes in this area.

To join the discussion related to changing the KSK, subscribe to the ksk-rollover mailing list.

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a nonprofit public benefit corporation with a community of participants from all over the world.
 

You May Also Like