The procedure for the DNS Root Zone KSK DNSSEC rollover is scheduled for October 11, 2017. The DNSSEC protocol stipulates a cryptographic key pair for each zone: a zone signing key (ZSK) and a key signing key (KSK). Thus, the Root Zone KSK DNSSEC is the top of the global network’s DNSSEC hierarchy. While the Root Zone ZSK is updated by ICANN and the Verisign company quarterly, the KSK has never been rotated since it was put in place in 2010.
It is a technically complicated and extremely important process. “Currently, 750 million people are using DNSSEC-validated resolvers that could be affected by the KSK rollover,” said ICANN’s Vice President of Research, Matt Larson. If the DNS resolvers supporting DNSSEC fail to support the new KSK by the required deadline, the end users might have problems accessing the internet. To prevent that, ICANN has created a test platform for network operators and all sides concerned to make sure their DNS systems can handle the KSK update automatically. This follows from ICANN’s official announcement. Check to see if your systems are ready by visiting go.icann.org/KSKtest.
