Update to DNSSEC trust anchors
24 July 2024
IANA has published an update to the trust anchors for DNSSEC. This update adds a new key that is planned to be used to sign the DNS root zone starting in 2026.
Software vendors and system package maintainers are encouraged to begin their processes for distributing this new trust anchor. The new trust anchor is currently available in a format suitable for constructing a DS record. The file is expected to be expanded in October 2024 to add data for also constructing the associated DNSKEY record.
We plan to pre-publish the new KSK in the DNS starting on 11 January 2025, with a standby period of nearly two years before a rollover in October 2026. This provides ample opportunity to propagate the new trust anchor, and also provides the capability to roll to it sooner should an emergency rollover be required. Discussion relating to this rollover is encouraged at our ksk-rollover mailing list.