Root KSK rollover resumed: switch now scheduled for 11 October

ICANN has restarted the rollover of the root KSK pair: the switch will now take place on 11 October 2018. In other words, ICANN will then replace the current cryptographic key pair that forms the basis of the DNSSEC infrastructure (KSK-2010) with a new key pair (KSK-2017).

DNSSEC-validating resolver operators will (again!) have to check that their systems have functional KSK-2017 trust anchors. If a validating resolver doesn't have the new trust anchor installed by 11 October 2018, all internet domains will become unreachable for any user or application relying on that resolver. In practice, such problems won't occur until a little after the eleventh, due to the forty-eight-hour TT of the DNSKEY records saved in the resolver's cache.

ICANN itself expects that only a small number of users — fewer than 1 per cent — will encounter problems caused by resolvers with out-of-date DNSSEC configurations.

Urgent!

Originally, the root KSK pair rollover was supposed to take place a year ago. However, shortly before the scheduled rollover date, ICANN postponed it, due to fears that many internet users would encounter problems if the rollover went ahead on the planned day. The rollover proper has now been rescheduled for 11 October 2018, exactly a year after the original date.

Validating resolvers that support RFC 5011 should by now have installed and activated the new public root KSK as a trust anchor. If you're still using software that doesn't support RFC 5011 and you haven't yet manually installed the new trust anchor, it's very important that you do it soon. Regardless of your set-up, we recommend checking that the new trust anchor is working properly, even if you've already done so previously.

More information:

These are the articles we have previously published about the root KSK rollover:

In addition, the following two hands-on articles provide detailed guidance on the configuration of BIND named and Infoblox appliances as validating resolvers, including information relating specifically to installation of the new trust anchor:

Comments

  • Wednesday 25 July 2018

    SIDN Labs

    How is IPv6 support measured for the Registrar Scorecard?

    Thumb-IPv6

    How we go about it

    Read more
  • Tuesday 26 March 2019

    .nl domain name

    Our terms and conditions are changing

    Thumb-man-examining-a-document-with-a-magnifying-glass

    New T&Cs effective from 1 May 2019

    Read more
  • Wednesday 17 April 2019

    DNSSEC

    Trust anchor installation for new root KSK

    Thumb-secure

    Prevent websites becoming unreachable

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.