Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed

2 min read

Yesterday, ICANN (Internet Corporation for Assigned Names and Numbers) announced that the root KSK roll has occurred at 1600 UTC.

ICANN is an organization that ensures a stable, secure and unified global Internet by coordinating the maintenance and procedures of several databases related to the namespaces and numerical spaces of the Internet.

What is a Root KSK (Key Sign Key) Rollover?

The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.

Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers including,

  • Internet Service Providers
  • Enterprise network administrators and other Domain Name System (DNS) resolver operators
  • DNS resolver software developers
  • System integrators, and
  • Hardware and software distributors who install or ship the root’s ‘trust anchor’

Maintaining an up-to-date KSK is important to ensure that DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

Details of the KSK Rollover

KSK Rollover operations started in October 2016 and were scheduled for October 2017. However, ICANN announced that the rollover has been postponed stating, “a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.”

Later, a draft plan was announced on February 1, 2018, after receiving input from the community. The date put forward to initiate the procedure was October 11, 2018. Per ICANN, the rollover is necessary to curb the rising number of cyber attacks.

In an official statement, Communications Regulatory Authority said, “To further clarify, some internet users might be affected if their network operators or Internet Service Providers (ISPs) have not prepared for this change. However, this impact can be avoided by enabling the appropriate system security extensions.”.

To know more about this news in detail, visit the main rollover page on ICANN’s website.

Read Next

RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover

Baidu Security Lab’s MesaLink, a cryptographic memory safe library alternative to OpenSSL

Google Titan Security key with secure FIDO two factor authentication is now available for purchase