Home / Industry

Operational Update Regarding the KSK Rollover for Administrators of Recursive Name Servers

Currently scheduled for October 11, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to change the cryptographic key that helps to secure the internet’s Domain Name System (DNS) by performing a Root Zone Domain Name System Security Extensions (DNSSEC) key signing key (KSK) rollover.

Originally scheduled to take place in October 2017, ICANN decided to postpone the root zone KSK rollover in light of newly-available data at the time from recursive name servers.1 This data showed that a small population of recursive servers did not update their trust anchors as expected. Users of those recursive servers could experience resolution failures when the KSK rollover occurs.

Since then, ICANN has undertaken efforts to determine if and when the KSK rollover should proceed. Earlier this year, they began contacting operators of recursive servers that reported only the old trust anchor. However, in many cases, a responsible party could not be identified, due in large part to dynamic addressing of ISP subscribers. Also, late last year, ICANN began receiving trust anchor signaling data from more root server operators, as well as data from more recursive name servers as the recursive name servers updated to software versions that provided these signals. ICANN makes this data publicly available.2 As of now, percentages are relatively stable at roughly 7% of reporters still signaling the 2010 trust anchor.

After soliciting community feedback,3 ICANN now plans to take the next step of rolling the Root KSK on October 11th, 2018, subject to final approval by the ICANN Board of Directors. This date was chosen to give the community time to review the plan and attempt to get more validating resolver operators ready for the rollover.4

In advance of the KSK rollover, Verisign is conducting a multi-faceted technical outreach program as a root server operator, a registry operator, and as the Root Zone Maintainer to help ensure the security, stability, and resiliency of the internet. Building on ICANN’s previous outreach effort, Verisign is coordinating with US-CERT and other national CERTs, industry partners, various DNS operator groups, and performing direct outreach to out-of-date signalers. Verisign.com/KSKRollover

If you operate a recursive name server, we strongly encourage you to check your trust anchor configuration immediately. ICANN provides instructions for monitoring the current trust anchors in DNS validating resolvers,5 which will walk you through the process to update the trust anchor for your servers. To remain informed about the rollover schedule, visit https://www.icann.org/resources/pages/ksk-rollover.

1 https://blog.verisign.com/domain-names/root-zone-ksk-rollover-postponed/
2 http://root-trust-anchor-reports.research.icann.org/
3 https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en
5 https://www.icann.org/dns-resolvers-checking-current-trust-anchors

By Verisign, A Global Provider of Critical Internet Infrastructure and Domain Name Registry Services

Verisign, a global provider of domain name registry services and internet infrastructure, enables internet navigation for many of the world’s most recognized domain names. Verisign enables the security, stability, and resiliency of key internet infrastructure and services, including providing root zone maintainer services, operating two of the 13 global internet root servers, and providing registration services and authoritative resolution for the .com and .net top-level domains, which support the majority of global e-commerce. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

New TLDs

Sponsored byRadix


Sponsored byVerisign