Changing the Signing Key (KSK) for the DNS root servers


ICANN/IANA is planning to implement the first “root KSK rollover”, i.e. the root zone’s key signing key (KSK) will be changed. This key is configured by DNSSEC validators as the trust anchor, i.e. the trusted starting point, for DNSSEC validation. ICANN/IANA is planning to start using the new root zone trust anchor (referred to as KSK-2017) to sign the root zone apex DNSKEY records on 11 October 2017. Once the new keys have been changed, network operators and other entities that are performing DNSSEC validation will need to update their systems with the new keys to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

For more information and action to be performed by DNSSEC validators (i.e., operating validating DNS resolvers), please see these links: