ICANN’s KSK Rollover: What You Need to Know [Archived]

By Erin Pratt

*Important Note: ICANN has announced a draft plan for continuing with the KSK roll. The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned.) Learn more.

ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010. Changing these keys is an important step to take to ensure security, similar to how changing passwords is considered to be an important safety measure.

According to the ICANN website, “Maintaining an up-to-date KSK is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-enabled validators will be unable to verify that DNS responses have not been tampered with and thus will return an error response to all DNSSEC-signed queries.”

What does this rollover mean?

Rolling the KSK means generating a new cryptographic key pair and distributing the new public component to everyone who operates validating resolvers.

Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.

Who will be affected?

According to ICANN, about one-in-four global Internet users, or 750 million people, could be affected by the KSK rollover. That figure is based on the estimated number of Internet users who use DNSSEC validating resolvers.

ICANN is encouraging you to test and check your systems prior to the KSK rollover to confirm what action is needed. They have provided a free testbed to help you determine whether your systems can handle automated updates properly.

Network Operators who update DNSSEC-enabled resolver trust anchor configuration manually should ensure that the new root zone KSK is configured before October 11, 2017.

Anyone who writes, integrates, distributes or operates software supporting DNSSEC validation that correctly follows the RFC 5011 automatic trust anchor protocol does not need to take any action.

Do you need to change anything with ARIN?

No. There is no action that you need to take with us. We are simply passing this message along to ensure our community is aware of this impactful change. We are not involved in the rollover itself, nor will anything here at ARIN change as a result of the rollover.

When is the rollover taking place?

The change will occur in a phased approach. The important dates to be aware of include:

• 11 July 2017: New KSK published in DNS

• 19 September 2017: Size increase for DNSKEY response from root name servers

• 11 October 2017: New KSK begins to sign the root zone key set (This is the actual rollover event)*

• 11 January 2018: Revocation of old KSK

• 22 March 2018: Last day the old KSK appears in the root zone

• August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities

Want to learn more? Check out these resources from ICANN:

Links:

• ICANN KSK Rollover website

• ICANN automated trust anchor update testbed

Documents

• Quick Guide: Prepare Your Systems for the Root KSK Rollover

• KSK Rollover at a Glance

• [KSK Rollover: Q+A](https://www.icann.org/en/system/files/files/ksk-rollover-questions-answers-31oct16-en.pdf)

Have a Question?

Send an email to globalsupport@icann.org with “KSK Rollover” in the subject line to submit your questions.