In October 2017, ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.
I had a chat with ISC’s Eddy Winstead today to discuss the KSK rollover process and what network operators performing DNSSEC validation need to do (particularly those using ISC’s BIND) to avoid service disruption during the rollover.
- July 11, 2017: Publication of new KSK in DNS.
- September 19, 2017: Size increase for DNSKEY response from root name servers.
- October 11, 2017: New KSK begins to sign the root zone key set (the actual rollover event).
- January 11, 2018: Revocation of old KSK.
For more details, be sure to check out ICANN’s comprehensive Root Zone KSK Rollover portal.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.