Forthcoming Root Zone KSK rollover
22 June 2017
IANA is promoting awareness of an important operational development for the Domain Name System (DNS) root zone that may impact DNS operations. We are asking for help to spread awareness of this important change throughout your communities.
For the first time, the root zone’s key signing key (KSK) is being changed in a process called a “root KSK rollover.” This key is configured by DNSSEC validators as the trust anchor, or trusted starting point, for DNSSEC validation. We plan to start using the new root zone trust anchor (referred to as KSK-2017) to sign the root zone apex DNSKEY records on 11 October 2017.
This change is being widely and carefully coordinated with operators that have enabled DNSSEC validation to ensure that the rollover does not interfere with normal operations.
If you operate a validating resolver service, you might need to take action. If your resolver software supports automated updates of DNSSEC trust anchors (RFC 5011), its configuration should update automatically to recognize KSK-2017 at the appropriate time. We encourage you to utilize ICANN’s testing platform to confirm that your software supports the ability to handle the rollover without manual intervention. The testing platform can be found at https://go.icann.org/KSKtest.
However, if your resolver software does not support automated updates of DNSSEC trust anchors or is not configured to use it, the software’s trust anchor file must be manually updated. KSK-2017 is available at https://data.iana.org/root-anchors.
This change will not impact any Delegation Signer records for TLDs that are present in the root zone.
For more information on the root KSK rollover visit: https://www.icann.org/resources/pages/ksk-rollover.