fTLD on Twitter

September 5, 2017

ICANN to Conduct Root Zone KSK Rollover

A major advantage of the .BANK and .INSURANCE domains (collectively “fTLD Domain”) is trust and security. The security of an fTLD Domain is the result of technologies that must be implemented for domains that resolve (i.e., serve content) on the internet and one such requirement is Domain Name System Security Extensions (DNSSEC). DNSSEC is implemented by a Domain Name System (DNS) service provider and can be done in-house or with a third-party hosting service.

In early October, the Internet Corporation for Assigned Names and Numbers (ICANN) will perform a Root Zone Key Signing Key (KSK) cryptographic rollover for DNSSEC. This important DNSSEC activity for our trusted communities requires an update to the DNSSEC resolvers. This assures that once the new keys are generated, a public user who attempts to visit a website hosted on an fTLD Domain can validate against the new KSK key.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-enabled validators will be unable to verify that DNS responses have not been tampered with and will return an error response to all DNSSEC-signed queries.

Approximately one-in-four global internet users (750 million people) may be affected by the KSK rollover based on their need to access DNSSEC-signed domain names.

fTLD Domain registrants (domain name owners) are not required to take any action, though they may want to contact their DNS service providers to ensure the DNSSEC change is being addressed. fTLD has notified its approved third-party providers of DNS services to ensure they’re prepared for the Root Zone Key Signing Key (KSK) rollover.

Network Operators who update DNSSEC-enabled resolver trust anchor configurations manually should ensure that the new root zone KSK is configured before October 11, 2017. Check your DNS resolver systems prior to the KSK rollover.

If your organization operates its own DNS: ICANN has provided a free testbed tool available on its website (see to help you determine whether your system handles automated updates properly.

If your organization uses a third-party DNS hosting service: Contact your DNS host customer support and confirm they are aware of the KSK rollover and are taking appropriate actions to update their DNSSEC resolvers to avoid any potential loss of service or functionality.

The KSK rollover will occur in a phased approach. The important dates are:

  • July 11, 2017: New KSK published in DNS
  • September 19, 2017: Size increase for DNSKEY response from root name servers
  • October 11, 2017: New KSK begins to sign the root zone key set
  • January 11, 2018: Revocation of old KSK
  • March 22, 2018: Last day the old KSK appears in the root zone
  • August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities

To learn more about the KSK rollover, check out ICANN’s video here.

By Adam Palmer, Financial Services Roundtable/BITS Cybersecurity Advisor to fTLD