ICANN to Conduct Root Zone KSK Rollover
A major advantage of the .BANK and .INSURANCE domains (collectively “fTLD Domain”) is trust and security. The security of an fTLD Domain is the result of technologies that must be implemented for domains that resolve (i.e., serve content) on the internet and one such requirement is Domain Name System Security Extensions (DNSSEC). DNSSEC is implemented by a Domain Name System (DNS) service provider and can be done in-house or with a third-party hosting service.
In early October, the Internet Corporation for Assigned Names and Numbers (ICANN) will perform a Root Zone Key Signing Key (KSK) cryptographic rollover for DNSSEC. This important DNSSEC activity for our trusted communities requires an update to the DNSSEC resolvers. This assures that once the new keys are generated, a public user who attempts to visit a website hosted on an fTLD Domain can validate against the new KSK key.
Maintaining an up-to-date KSK is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-enabled validators will be unable to verify that DNS responses have not been tampered with and will return an error response to all DNSSEC-signed queries.
Approximately one-in-four global internet users (750 million people) may be affected by the KSK rollover based on their need to access DNSSEC-signed domain names.
The KSK rollover will occur in a phased approach. The important dates are:
- July 11, 2017: New KSK published in DNS
- September 19, 2017: Size increase for DNSKEY response from root name servers
- October 11, 2017: New KSK begins to sign the root zone key set
- January 11, 2018: Revocation of old KSK
- March 22, 2018: Last day the old KSK appears in the root zone
- August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities
To learn more about the KSK rollover, check out ICANN’s video here.
By Adam Palmer, Financial Services Roundtable/BITS Cybersecurity Advisor to fTLD