At the end of April this year, the 57thDNS Root Key Signing Key Ceremony took place at the facility on the east coast of the United States. Pía Gruvö, Ondřej Filip, Nomsa Mwayenga, and I participated as Cryptographic Officers.
(Free access, no subscription required)
This time, it was a regular process of signing the ZSK which will be published in the third and fourth quarters of the year and will continue with the pre-publication of the new KSK. Since we are currently in the middle of the KSK rollover process, we must be careful to generate different scenarios, considering emergency situations such as the retirement of the new KSK. That said, everything appears to be fine for now. A study conducted by Duane Wessels of Verisign shows that resolvers have accepted the new key at a rate of 90% after the month-long wait since it appeared in the root keyset in February 2025
This time, it was a regular process of signing the ZSK which will be published in the third and fourth quarters of the year and will continue with the pre-publication of the new KSK. Since we are currently in the middle of the KSK rollover process, we must be careful to generate different scenarios, considering emergency situations such as the retirement of the new KSK. That said, everything appears to be fine for now. A study conducted by Duane Wessels of Verisign shows that resolvers have accepted the new key at a rate of 90% after the month-long wait since it appeared in the root keyset in February 2025
A new version of the operating system and HSM control tools, called coen v2.0.1, was used for this 57th ceremony.
Once again, the ceremony was executed flawlessly. Since becoming a Crypto Officer two years ago, this was the first ceremony with no exceptions to the script!
In the DNS root keyset, there are now two KSKs [the current (20326) and the new key (38696)], ZSK 53148 and its future replacement, 46441, which is scheduled to appear at the end of June, all signed by the current KSK 20326.
I’d also like to mention that during the recent LACNIC43 meeting held in Sao Paulo, Brazil, I gave a presentation at the Technical Forum on the KSK key rollover. This presentation focused on ISP operators and companies operating DNS resolvers, as they should be aware of the final date in October 2026 and check their systems to verify that they already have the new KSK (either through automatic rotation via RFC5011 or through updates to their operating systems or DNS software). I also took the opportunity to present a beta version of a tool based on the RFC8509 sentinel technique which allows checking whether our DNS provider is ready for the next DNSSEC root key rollover. This tool is available at https://test.kskroll.vulcano.cl/
