Preparing for the KSK Rollover
The Internet Corporation of Assigned Names and Numbers (ICANN) is currently scheduled to change the DNS root zone’s key-signing key (KSK). This process is called a KSK rollover. As specified in the operational plans1, the KSK rollover is currently scheduled to take place on October 11, 2018, subject to final approval by the ICANN Board of Directors.
Every Domain Name System Security Extensions (DNSSEC) validator on the internet requires a trust anchor. This is a key, or a hash of a key, that corresponds to the root zone KSK(s). Whenever a KSK rollover occurs, DNSSEC validators must update their trust anchors to include the new key. The design of DNSSEC includes a mechanism, commonly referred to as RFC 50112, whereby validators can automatically update their trust anchors. Because this is the first operational root KSK rollover, RFC 5011 has never been tested in production.
Starting in 2017 a few popular recursive DNS resolvers implemented a feature defined in RFC 8145 -- “Signaling Trust Anchor Knowledge in DNSSEC.”3 If a DNSSEC validator supports RFC 8145 and the feature is enabled, it sends periodic reports of its trust anchor configuration to one of the root name servers.
Verisign, as an operator of root name servers, receives some of this RFC 8145 data. We regularly analyze the data to identify sources that appear to have an out-of-date trust anchor configuration. We are in the process of reaching out to operators of validating name servers that appear to be out-of-date. These validating name servers could experience DNS resolution failures after the KSK rollover which is planned to occur on October 11, 2018.
In advance of the KSK rollover, Verisign is conducting a multi-faceted technical outreach program as a root server operator, a registry operator, and as the Root Zone Maintainer to help ensure the security, stability, and resiliency of the internet. Building on ICANN’s previous outreach effort4 , Verisign is coordinating with US-CERT and other national CERTs, industry partners, various DNS operator groups, and performing direct outreach to out-of-date signalers.
The data below, organized by either geographical origin or by network operator (ASN), contains a list of addresses that have reported only the old trust anchor.
Steps You Can Take
If you have not updated your trust anchor or you appear on the list above you need to take action to avoid DNS resolution problems on or after October 11, 2018.
Please visit the following to learn more about updating your validator with the latest trust anchor update on ICANN’s website:
- Checking the Current Trust Anchors in DNS Validating Resolvers
- Updating of DNS Validating Resolvers with the Latest Trust Anchor
- Managing the Root KSK Rollover, Step by Step for Operators
For additional material regarding the KSK rollover, useful tools, and reference guides please review the following pertinent sites:
- Root Zone KSK Rollover
- ICANN’s RFC 8145 Root Trust Anchor Reports
- Operational Plans for the Root KSK Rollover
- Quick Guide: Prepare Your Systems for the Root KSK Rollover
- DNSSEC Informational Page
- DNSSEC for Everybody - A Beginner's Guide (ICANN55)
- Prepare Your Systems for the Root KSK Rollover
- Keyroller Testbed
- BIND Root KSK Rollover
- KNOT DNSSEC Key Rollover
- Keyrolling Demo Tool
- RFC 5011 with OpenDNSSEC, BIND, and Unbound
- Automatic installation of new DNSSEC trust anchor
- Manual Trust anchor installation for new root KSK
Verisign is offering assistance and guidance to address this issue if needed. Please contact Verisign at KSKRollover@verisign.com or +1-703-376-0005 for assistance.