Trust Anchors and Rollovers
The Root Key Signing Key (KSK) acts as the trust anchor for DNSSEC for the Domain Name System. This trust anchor is configured in DNSSEC-aware resolvers to facilitate validation of DNS data.
This page contains data on the trust anchors for the DNS, as well as information on operational plans to change these keys (events known as key rollovers).
Root Zone Trust Anchors
IANA distributes an XML file containing the details of the trust anchor set, which validating resolvers can use to verify DNS root zone data. A description of these files and considerations for updating the trust anchor are described in DNSSEC Trust Anchor Publication for the Root Zone (draft-ietf-dnsop-rfc7958bis).
| File | Description |
|---|---|
| root-anchors.xml | DNS Root Trust Anchors Updated 2024-11-05 |
| root-anchors.p7s | Signature to verify the DNS Root Trust Anchors file (S/MIME) |
| icannbundle.pem | Certificates for validating S/MIME signature; known as the ICANN CA. |
Validators should keep this data up-to-date. Consider the following:
- Operators of validating resolvers and other end-users of the DNSSEC trust anchors should follow their vendor's instructions for updating the trust anchors. Vendors will differ in how and when they distribute updates according to their requirements for distributing trust anchors.
- Many software packages and systems will be configured to automatically update their trust anchors using the mechanism described in Automated Updates of DNS Security (DNSSEC) Trust Anchors (RFC 5011). This mechanism establishes trust for the new key based on a period of observing the new key in the DNS root zone, signed by the current key.
- Software vendors often package and distribute up-to-date trust anchors through their regular software update mechanisms.
IANA provides a standalone tool that retrieves the root trust anchors and verifies their accuracy, providing the root zone trust anchors in both DS and DNSKEY formats.
Rollovers
The process of changing the signing key is known as a rollover. Rollovers are an important process in the management of DNSSEC, ensuring the ongoing security of the protocol as the cryptographic landscape evolves. Important dates regarding the current rollover are shown below:
| Event | Expected Date | Description |
|---|---|---|
| Publication | 11 January 2025 | The successor key is scheduled to appear in the DNS root zone. |
| - | 10 February 2025 | The successor key should begin to be trusted by resolvers that follow the mechanisms described in RFC5011. |
| Rollover | 11 October 2026 | The successor key is scheduled to sign the zone; the current key will not sign the zone. Validating resolvers must have updated trust anchors to continue validating the root zone. |
We plan an idealized three-year rollover interval, publishing the key in the DNS for about two years in a standby state before the rollover. Generation of the successor key follows each rollover.
The three-year rollover strikes a responsible balance ensuring that procedures and software remain sufficiently agile to adopt new keys as they are commissioned, while not introducing too much operational complexity through overly-frequent changes to the KSK. The standby period will allow a lengthy pre-publication and consequently allow for the new KSK’s earlier use if there is a need to expedite a rollover. More information on the schedule and motivation is available in our Proposal for Future Root Zone KSK Rollovers.
Key status
This table provides information on the keys generated for Root Zone KSK operations. Software implementers should rely on the XML trust anchors file for normative parameters on keys.
| Informal Name | Status | Details |
|---|---|---|
| KSK-2024 | Pre-Publication | Generated 2024-04-26 (attestation) with key tag 38696 and label Kmyv6jo. Expected to supersede KSK-2017. |
| KSK-2017 | Active | Generated 2016-10-27 (attestation) with key tag 20326 and label Klajeyz. Signing since 2018-10-11. |
| KSK-2023 | Abandoned | Generated 2023-04-27 (attestation) with key tag 46211 and label Kmrfl3b. Will not be used, superseded by KSK-2024. |
| KSK-2010 | Retired | Generated 2010-06-16 (attestation) with key tag 19036 and label Kjqmt7v. Signing between 2010-07-15 and 2018-10-11. |
Keep informed
Operational announcements regarding trust anchors and rollovers are published on the root-dnssec-announce mailing list. A separate ksk-rollover mailing list is a forum for discussion specific to rollovers.
Major updates will also be communicated through ICANN’s announcement channels.