ICANN replaces secret DNSSEC keys
KSK rollover now under way
Last autumn, ICANN began the rollover of its Key Signing Keys. The rollover involves replacing the cryptographic key pair for the root zone: the basis of the entire DNSSEC infrastructure. The keys have to be changed periodically for security reasons. This'll be the first time that they've been rolled over since DNSSEC was introduced in 2010.
Rollover follows a carefully controlled procedure
ICANN's rollover is now in progress. A strictly defined and carefully controlled procedure has to be followed. That takes quite some time: about two years from start to finish. The rollover will be complete in August 2018. As long as nothing goes wrong, end users won't be aware of any change.
Important role for DNSSEC operators
At the local level, validating resolver operators have an important role to play in the rollover. If you operate a validating resolver, you need to add the new (public) key to your servers and later remove the old key from your system. Otherwise it won't be possible to validate the digital signatures of domain names under any of the top-level domains (TLDs). Then all internet domains will become unreachable for everyone relying on the resolver in question.
What you need to do in the short term
If you're a DNSSEC operator and you'd like to know more about the rollover and your part in it, we can help. Check out our special question and answer resource.
Key signing keys for .nl already replaced
We rolled over the Key Signing Keys for the .nl domain last year. Like the root zone rollover, it was the first since 2010. To assure the reliability of the DNSSEC infrastructure, a strict security protocol had to be followed. The old key pair was phased out of the .nl zone in summer 2016, and we are pleased to report that everything went without a hitch.