Root KSK rollover


Root KSK rollover

ICANN is planning to perform a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement.

Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root’s “trust anchor.” The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-enabled validators will be unable to verify that DNS responses have not been tampered with and thus will return an error response to all DNSSEC-signed queries.

“The root was signed for the first time in 2010 and best practices indicate that cryptographic keys must be changed at reasonable intervals. The root KSK rollover implies a huge challenge due to the scale of the Internet. This rollover process initiated by the community will take place during 2017, and its timing will be handled so that Internet operators will not be affected,” said Carlos Martínez, LACNIC CTO and community representative to the Root Signing Ceremony.

More information and

Notify of

Inline Feedbacks
View all comments