en

A “Key” Milestone in Protecting the DNS

12 July 2017

Edward LewisEdward Lewis, Senior Technologist

In addition to the U.N. six languages, this content is also available in

A significant milestone has been reached in ICANN’s ongoing effort to change the cryptographic key that helps protect the Domain Name System (DNS).

On 11 July 2017, the new DNSSEC Key Signing Key (KSK-2017) appeared in the DNS, marking the first time a new key has been generated since 2010, when the first key (KSK-2010) was generated.

The generation of this new key is the result of a great deal of planning and outreach to assure that network operators are ready for the “key roll” on 11 October 2017*, when the new key will be put to use.

This effort to change the keys began with a community design team, which met from March 2015 to October 2016. The team’s recommendations were posted on March 2016. Based upon those recommendations, ICANN’s final plans were posted a few months later (July 2016).

For more than a year, the ICANN organization has engaged in a comprehensive outreach campaign to help prepare the industry for the October rollover from KSK-2010 to KSK-2017. This campaign is ongoing, with our efforts increasing as the rollover date approaches.

The organization has also requested that government regulators across the globe assist in making certain that network operators in their respective countries are ready for the key roll.

For details on the KSK rollover project, please visit our dedicated Root Zone KSK Rollover webpage.

* Updated on 27 September: The key roll is being delayed because some recently obtained data shows that a number of resolvers used by Internet Service Providers and Network Operators are not yet ready for the key rollover. We are tentatively hoping to reschedule the root KSK roll for the first quarter of 2018, but it will be dependent on more fully understanding the new information and mitigating as many potential failures as possible.

Senior Technologist

Edward Lewis

Read biographyRead biography