Root KSK rollover resumed: switch now scheduled for 11 October

ICANN has restarted the rollover of the root KSK pair: the switch will now take place on 11 October 2018. In other words, ICANN will then replace the current cryptographic key pair that forms the basis of the DNSSEC infrastructure (KSK-2010) with a new key pair (KSK-2017).

DNSSEC-validating resolver operators will (again!) have to check that their systems have functional KSK-2017 trust anchors. If a validating resolver doesn't have the new trust anchor installed by 11 October 2018, all internet domains will become unreachable for any user or application relying on that resolver. In practice, such problems won't occur until a little after the eleventh, due to the forty-eight-hour TT of the DNSKEY records saved in the resolver's cache.

ICANN itself expects that only a small number of users — fewer than 1 per cent — will encounter problems caused by resolvers with out-of-date DNSSEC configurations.


Originally, the root KSK pair rollover was supposed to take place a year ago. However, shortly before the scheduled rollover date, ICANN postponed it, due to fears that many internet users would encounter problems if the rollover went ahead on the planned day. The rollover proper has now been rescheduled for 11 October 2018, exactly a year after the original date.

Validating resolvers that support RFC 5011 should by now have installed and activated the new public root KSK as a trust anchor. If you're still using software that doesn't support RFC 5011 and you haven't yet manually installed the new trust anchor, it's very important that you do it soon. Regardless of your set-up, we recommend checking that the new trust anchor is working properly, even if you've already done so previously.

More information:

These are the articles we have previously published about the root KSK rollover:

In addition, the following two hands-on articles provide detailed guidance on the configuration of BIND named and Infoblox appliances as validating resolvers, including information relating specifically to installation of the new trust anchor:


  • Monday 12 March 2018


    Know what you're collecting!

    The General Data Protection Regulation has implications for the domain name industry

    Read more
  • Wednesday 11 September 2019

    Internet security

    Very last IPv4 addresses to be assigned later this year


    RIPE NCC scrapes together address block remnants

    Read more
  • Wednesday 11 April 2018


    PowerDNS Recursor version 4.1 published; upgrading recommended


    Upgrading recommended

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.