Root Zone KSK Rollover

Posted by Richard McKenzie on 8 May 2017

One of the internet’s most vital pieces of security infrastructure will soon be updated for the first time: ICANN is changing the Root Zone Key Signing Key (KSK), a cryptographic key pair that helps ensure web users reach legitimate websites and are not redirected to malicious sites. Last October, the rollover process began with a new, stronger 2048-bit key pair generated at a secure ICANN facility. These keys are a public-private pair which play an important role in the Domain Name System Security Extensions (DNSSEC).

But the new keys will not be implemented overnight. The transition to the new KSK is being undertaken in a carefully controlled manner, with the process taking place in stages throughout 2017 and 2018. The new KSK is planned to be deployed into operation on October 11, 2017.

In order for DNSSEC to continue working, operators of validating resolvers — primarily internet service providers (ISPs) — need to update the root public key (as a trust anchor) on their resolver. This public key is now available and can be used to update systems at any time. Failure to do so by January 11, 2018 will cause all DNS lookups performed by non-updated validating resolvers to fail.

Who runs a validating resolver?

Currently, about 25 per cent of global internet users access DNSSEC-validating resolvers that could be affected by the KSK rollover. It is not a requirement that all resolver operators run a validating resolver, many do not at this stage of the DNSSEC deployment, however if they do, they need to ensure compliance with these changes.

What changes do operators of validating resolvers need to make?

Operators running a validating resolver must update their name server software, or ensure their name server software complies with RFC 5011.

Systems already compliant with RFC 5011 will automatically update the KSK at the appropriate time. Systems that do not support automated updates must be configured manually using the new KSK, available here. Systems can be updated at any time prior to the October 2017 rollover using the new public KSK published in February 2017.

ICANN has launched a Testing Platform so operators can check whether their systems are ready which can be accessed through the ICANN website.

How is auDA impacted?

As auDA is an authoritative name server operator, we do not run public resolvers, and as such do not need to update our name server software. However, .au can be impacted if users attempt to visit a DNSSEC-signed .au website using a non-updated validating resolver after the January 2018 rollover end date. For those users, websites, email addresses and other domains will fail to function.

What to do next

If you are operating a validating resolver, check whether your systems are RFC 5011 compliant. If so, they will automatically update to the new KSK with no noticeable interruption. If they are not RFC 5011 compliant, ensure the new KSK is updated in the system prior to October 11, 2017. If systems are not updated by January 11, 2018, they may behave as if websites, email addresses and all other domains do not exist.

ICANN Root Zone KSK Rollover information page

Download the new root zone KSK here.

Access the ICANN Testing Platform here.