ICANN’s Updated KSK Roll Operational Implementation Plan [Archived]

By Erin Pratt

ICANN has announced their plan to continue with the KSK roll. The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned.)

Background

ICANN is planning to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010. Changing these keys is an important step to take to ensure security, similar to how changing passwords is considered to be an important safety measure.

According to the ICANN website, “Maintaining an up-to-date KSK is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-enabled validators will be unable to verify that DNS responses have not been tampered with and thus will return an error response to all DNSSEC-signed queries.”

What does this rollover mean?

Rolling the KSK means generating a new cryptographic key pair and distributing the new public component to everyone who operates validating resolvers.

Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.

Who will be affected?

According to ICANN, about one-in-four global Internet users, or 750 million people, could be affected by the KSK rollover. That figure is based on the estimated number of Internet users who use DNSSEC validating resolvers.

ICANN is encouraging you to test and check your systems prior to the KSK rollover to confirm what action is needed. They have provided a free testbed to help you determine whether your systems can handle automated updates properly.

Network Operators who update DNSSEC-enabled resolver trust anchor configuration manually should ensure that the new root zone KSK is configured before 11 October 2018.

Anyone who writes, integrates, distributes or operates software supporting DNSSEC validation that correctly follows the RFC 5011 automatic trust anchor protocol does not need to take any action.

Do you need to change anything with ARIN?

No. There is no action that you need to take with us. We are simply passing this message along to ensure our community is aware of this impactful change. We are not involved in the rollover itself, nor will anything here at ARIN change as a result of the rollover.

When is the rollover taking place?

The change will occur in a phased approach. ICANN has instructed readers to look at the original plan, understanding that any dates listed as 11 October 2017 or later should simply be incremented by exactly one year. For example, the new planned rollover date is 11 October 2018; the new date on which KSK-2010 KSK is published as revoked is 11 January 2019; and so on.

• 11 October 2018: New KSK begins to sign the root zone key set (This is the actual rollover event)*

• 11 January 2019: Revocation of old KSK

• 22 March 2019: Last day the old KSK appears in the root zone

• August 2019: Old key is deleted from equipment in both ICANN Key Management Facilities

Want to learn more? Check out these resources from ICANN:

• ICANN KSK Rollover website

• ICANN automated trust anchor update testbed

• Quick Guide: Prepare Your Systems for the Root KSK Rollover

• KSK Rollover at a Glance

Have a Question?

Send an email to globalsupport@icann.org with “KSK Rollover” in the subject line to submit your questions.