ICANN Launches Testing Platform for the KSK Rollover
13 March 2017 – ICANN is offering a testing platform for network operators and other interested parties to confirm that their systems can handle the automated update process for the upcoming Root Zone Domain Name Systems Security Extensions (DNSSEC) Key Signing Key (KSK) rollover. The KSK rollover is currently scheduled for 11 October 2017.
"Currently, seven hundred and fifty million people are using DNSSEC-validating resolvers that could be affected by the KSK rollover," said ICANN's Vice President of Research, Matt Larson. "The testing platform is an easy way for operators to confirm that their infrastructure supports the ability to handle the rollover without manual intervention."
Internet service providers, network operators and others who have enabled DNSSEC validation must update their systems with the new KSK. This can be done in one of two ways:
- An operator can configure a new trust anchor manually by obtaining the new root zone KSK from the iana.org website at https://www.iana.org/dnssec/files.
- An operator can enable a feature available in many validating resolvers that automatically detects and configures a new root zone KSK as a trust anchor, in which case they need take no action.
Check to see if your systems are ready by visiting go.icann.org/KSKtest.
The KSK has been widely distributed and configured by every operator performing DNSSEC validation. If the validating resolvers using DNSSEC do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet. A careful and coordinated effort is required to ensure that the update does not interfere with normal operations.
More information is available at www.icann.org/kskroll.