The Internet Corporation for Assigned Names and Numbers (ICANN) is pleased to announce that the Internet Assigned Numbers Authority (IANA) will generate a new root zone key signing key (KSK) used by the Domain Name System Security Extensions (DNSSEC). DNSSEC ensures that the information received from the DNS about a domain name is authentic. It helps make the Internet safer for its billions of users.
Generation of the new key is planned to occur during the 49th KSK Ceremony on 27 April 2023. The key will be replicated to an alternate facility in the third quarter of 2023. IANA plans to pre-publish the key in the DNS, starting in January 2024. It will be held in standby for about two years, during which ICANN will conduct an extensive outreach campaign to ensure a seamless transition to the new key for the global Internet community.
The first time a key changed, an event referred to as a rollover, was in 2018, following several years of consultation, design, and testing. To learn more, click here. This rollover was considered a success, and this generation of a new key is the first step in the next iteration of that plan.
The security and stability of the DNS requires the capability to change keys. Rollovers of the root KSK, which is the process of replacing one key with another, exercise these mechanisms to ensure ongoing operational readiness.
The new key will use the same cryptographic algorithm and key size that is used currently. A separate project is underway to design the process for changing the algorithm used to sign the root zone which will inform future changes in this area.
You can subscribe to the ksk-rollover mailing list to join the public discussions related to changing the root key signing key.