Root Zone KSK Rollover
The DNS root KSK rollover happened at 1600 UTC on 11 October. Please see this announcement for a summary of the rollover.
This page has general information about the recent KSK rollover. If you came here looking how to update to the latest KSK trust anchor, please see https://www.icann.org/dns-resolvers-updating-latest-trust-anchor this page.
Overview
Resources
Get Involved
Milestones
Operational Plans
Communications Plan
News
11 October 2018 – The DNSSEC root KSK was successfully rolled over
18 September 2018 – News Release: Board Approval of KSK Roll
العربية | Español | Français | 日本語 | 한국어 | Português | Pусский | 中文
22 August 2018 – ICANN Publishes Comprehensive Guide on What to Expect During the Root KSK Rollover
18 July 2018 – Minimal User Impact Expected From Root Zone Key Signing Key (KSK) Rollover
13 May 2018 – ICANN Board requests RSSAC, SSAC and RZERC advice on Draft Plan
23 April 2018 – Staff report on the Draft Plan Comments published
1 February 2018 – Announcing Draft Plan For Continuing With The KSK Roll
1 February 2018 – Comments Requested for Draft Plan
18 December 2017 – Update on the Root KSK Rollover Project
27 September 2017 – KSK Rollover Postponed
27 October 2016 – KSK Rollover Operations Begin
Technical Updates
4 March 2019 – Review of the 2018 DNSSEC KSK Rollover published
23 April 2018 – Staff report on the Draft Plan Comments published
18 December 2017 – Update on the Root KSK Rollover Project
17 October 2017 – Postponing the Root KSK Roll
27 September 2017 – ICANN announces a postponement for the KSK Rollover
4 September 2017 – Checking the Current Trust Anchors in DNS Validating Resolvers
4 September 2017 – Updating of DNS Validating Resolvers with the Latest Trust Anchor
11 July 2017 – KSK-2017 is published in the DNS
Overview
On 11 October 2018, ICANN performed a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement [TXT, 99 KB].
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.
The KSK rollover plans were developed by the Root Zone Management Partners; ICANN in its role as the IANA Functions Operator, Verisign as the Root Zone Maintainer, and the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) as the Root Zone Administrator. The role of NTIA ended on 1 October 2016. The KSK rollover plans were posted in July 2016 and incorporate the community Root Zone KSK Rollover Design Team recommendations [PDF, 1.01 MB].
Resources
Related information and additional resources can be found at:
- Review of the 2018 DNSSEC KSK Rollover
- Checking the Current Trust Anchors in DNS Validating Resolvers
- Updating of DNS Validating Resolvers with the Latest Trust Anchor
- DNSSEC Informational Page
- IANA - Root Zone Management
Get Involved
Ask a Question
Send an email to globalsupport@icann.org with "KSK Rollover" in the subject line to submit your questions.
Join the KSK Rollover Discussion List
Sign up to the mailing list for public discussions on related issues: https://mm.icann.org/listinfo/ksk-rollover
Milestones
- October 27 2016: KSK rollover process begins as the new KSK is generated.
- July 11 2017: Publication of new KSK in DNS.
- September 19 2017: Size increase for DNSKEY response from root name servers.
- 1 February 2018: Public comment period for plan to resume the KSK rollover begins, ends 2 April 2018.
- 23 April 2018: Staff report on the Draft Plan Comments published.
- 13 May 2018: ICANN Board requests RSSAC, SSAC and RZERC advice on Draft Plan.
- 11 October 2018: KSK rollover.
Operational Plans
ICANN published its operational plans for the KSK rollover so that the community could know what to expect. Please see this page for both the operational plans and the plans that were used earlier.
Communications Plan
ICANN executed an extensive outreach campaign to ensure that those who currently use the KSK knew about the change.