Verisign Labs
KSK Rollover

Preparing for the KSK Rollover

Update

On October 11th 2018, ICANN and Verisign, as the Root Zone Maintainer, performed a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement. The rollover was completed on time and without significant issues; however, the rollover will not officially be complete until KSK-2010 is revoked and no longer published in the zone in late March 2019. The remainder of this page is retained for historical reference.


The Internet Corporation of Assigned Names and Numbers (ICANN) is currently scheduled to change the DNS root zone’s key-signing key (KSK). This process is called a KSK rollover. As specified in the operational plans1, the KSK rollover is currently scheduled to take place on October 11, 2018, subject to final approval by the ICANN Board of Directors.

Every Domain Name System Security Extensions (DNSSEC) validator on the internet requires a trust anchor. This is a key, or a hash of a key, that corresponds to the root zone KSK(s). Whenever a KSK rollover occurs, DNSSEC validators must update their trust anchors to include the new key. The design of DNSSEC includes a mechanism, commonly referred to as RFC 50112, whereby validators can automatically update their trust anchors. Because this is the first operational root KSK rollover, RFC 5011 has never been tested in production.

Starting in 2017 a few popular recursive DNS resolvers implemented a feature defined in RFC 8145 -- “Signaling Trust Anchor Knowledge in DNSSEC.”3 If a DNSSEC validator supports RFC 8145 and the feature is enabled, it sends periodic reports of its trust anchor configuration to one of the root name servers.

Verisign, as an operator of root name servers, receives some of this RFC 8145 data. We regularly analyze the data to identify sources that appear to have an out-of-date trust anchor configuration. We are in the process of reaching out to operators of validating name servers that appear to be out-of-date. These validating name servers could experience DNS resolution failures after the KSK rollover which is planned to occur on October 11, 2018.

Technical Outreach

In advance of the KSK rollover, Verisign is conducting a multi-faceted technical outreach program as a root server operator, a registry operator, and as the Root Zone Maintainer to help ensure the security, stability, and resiliency of the internet. Building on ICANN’s previous outreach effort4 , Verisign is coordinating with US-CERT and other national CERTs, industry partners, various DNS operator groups, and performing direct outreach to out-of-date signalers.

The data below, organized by either geographical origin or by network operator (ASN), contains a list of addresses that have reported only the old trust anchor.

https://www.verisignlabs.com/KSKRollover/asn.html
https://www.verisignlabs.com/KSKRollover/country.html

Steps You Can Take

If you have not updated your trust anchor or you appear on the list above you need to take action to avoid DNS resolution problems on or after October 11, 2018.

Please visit the following to learn more about updating your validator with the latest trust anchor update on ICANN’s website:

For additional material regarding the KSK rollover, useful tools, and reference guides please review the following pertinent sites:

Verisign is offering assistance and guidance to address this issue if needed. Please contact Verisign at KSKRollover@verisign.com or +1-703-376-0005 for assistance.

1 https://www.icann.org/resources/pages/ksk-rollover-operational-plans
2 https://tools.ietf.org/html/rfc5011
3 https://tools.ietf.org/html/rfc8145
4 https://www.icann.org/en/system/files/files/2018-ksk-outreach-plan.pdf