The first-ever rollover of the key used to sign the Domain Name System’s DNSSEC security extensions has been hailed as a success by ICANN.
As eco reported on in advance and warned members about, on 11 October, the new key, KSK 2017, was taken into operation. Given that the Key Signing Key (KSK) had never before been replaced, there had been concerns that some validating resolvers would not be ready, potentially resulting in a systemic failure. According to ICANN, the few issues which did arise in conjunction with the rollover were minimal and quickly mitigated.
“This successful exercise of the infrastructure necessary to roll the root zone’s key has demonstrated it is possible to update the key globally,” David Conrad, ICANN’s Chief Technology Officer is quoted on the ICANN website. “It also provided important insights that will help us with future key rolls.”
As a result, ICANN now plans to go through with the further steps in the procedure: revoking the old key, KSK 2010, during the next key ceremony in early 2019.
Further information about the rollover can be found on the ICANN page www.icann.org/resources/pages/ksk-rollover