Root KSK rollover resumed: switch now scheduled for 11 October

ICANN has restarted the rollover of the root KSK pair: the switch will now take place on 11 October 2018. In other words, ICANN will then replace the current cryptographic key pair that forms the basis of the DNSSEC infrastructure (KSK-2010) with a new key pair (KSK-2017).

DNSSEC-validating resolver operators will (again!) have to check that their systems have functional KSK-2017 trust anchors. If a validating resolver doesn't have the new trust anchor installed by 11 October 2018, all internet domains will become unreachable for any user or application relying on that resolver. In practice, such problems won't occur until a little after the eleventh, due to the forty-eight-hour TT of the DNSKEY records saved in the resolver's cache.

ICANN itself expects that only a small number of users — fewer than 1 per cent — will encounter problems caused by resolvers with out-of-date DNSSEC configurations.

Urgent!

Originally, the root KSK pair rollover was supposed to take place a year ago. However, shortly before the scheduled rollover date, ICANN postponed it, due to fears that many internet users would encounter problems if the rollover went ahead on the planned day. The rollover proper has now been rescheduled for 11 October 2018, exactly a year after the original date.

Validating resolvers that support RFC 5011 should by now have installed and activated the new public root KSK as a trust anchor. If you're still using software that doesn't support RFC 5011 and you haven't yet manually installed the new trust anchor, it's very important that you do it soon. Regardless of your set-up, we recommend checking that the new trust anchor is working properly, even if you've already done so previously.

More information:

These are the articles we have previously published about the root KSK rollover:

In addition, the following two hands-on articles provide detailed guidance on the configuration of BIND named and Infoblox appliances as validating resolvers, including information relating specifically to installation of the new trust anchor:

Comments

  • Tuesday 17 April 2018

    Solutions

    Italian football giants Lazio hit by spear phishing with a lookalike domain name

    Thumb-Feyenoord

    Dutch club Feyenoord left two million short

    Read more
  • Friday 19 April 2019

    About SIDN

    Don't disable IPv6!

    Thumb-close-up-switch-on-off

    It's a quick fix that stores up problems for later

    Read more
  • Monday 28 May 2018

    About SIDN

    SIDN provides private cloud for subsidiary Connectis

    Thumb-private-cloud

    This is one of the synergy benefits

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.