Root KSK rollover resumed: switch now scheduled for 11 October

ICANN has restarted the rollover of the root KSK pair: the switch will now take place on 11 October 2018. In other words, ICANN will then replace the current cryptographic key pair that forms the basis of the DNSSEC infrastructure (KSK-2010) with a new key pair (KSK-2017).

DNSSEC-validating resolver operators will (again!) have to check that their systems have functional KSK-2017 trust anchors. If a validating resolver doesn't have the new trust anchor installed by 11 October 2018, all internet domains will become unreachable for any user or application relying on that resolver. In practice, such problems won't occur until a little after the eleventh, due to the forty-eight-hour TT of the DNSKEY records saved in the resolver's cache.

ICANN itself expects that only a small number of users — fewer than 1 per cent — will encounter problems caused by resolvers with out-of-date DNSSEC configurations.

Urgent!

Originally, the root KSK pair rollover was supposed to take place a year ago. However, shortly before the scheduled rollover date, ICANN postponed it, due to fears that many internet users would encounter problems if the rollover went ahead on the planned day. The rollover proper has now been rescheduled for 11 October 2018, exactly a year after the original date.

Validating resolvers that support RFC 5011 should by now have installed and activated the new public root KSK as a trust anchor. If you're still using software that doesn't support RFC 5011 and you haven't yet manually installed the new trust anchor, it's very important that you do it soon. Regardless of your set-up, we recommend checking that the new trust anchor is working properly, even if you've already done so previously.

More information:

These are the articles we have previously published about the root KSK rollover:

In addition, the following two hands-on articles provide detailed guidance on the configuration of BIND named and Infoblox appliances as validating resolvers, including information relating specifically to installation of the new trust anchor:

Comments

  • Thursday 27 July 2017

    SIDN Labs

    Poolside Cyber Security Reading

    Thumb-swimming-pool

    Nine great articles

    Read more
  • Wednesday 25 April 2018

    DNSSEC

    Two new DNSSEC-validating DNS services launched

    Thumb+DNSSEC+news

    In recent weeks, two new DNS services for the general public have been launched, and both support DNSSEC validation.

    Read more
  • Friday 22 March 2019

    Knowledge

    Brands and regions: the dotamazon case

    Thumb-Amazon-headquarter

    Retailer versus region

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.