Skip to main content

A “Key” Milestone in Protecting the DNS

A significant milestone has been reached in ICANN’s ongoing effort to change the cryptographic key that helps protect the Domain Name System (DNS).

On 11 July 2017, the new DNSSEC Key Signing Key (KSK-2017) appeared in the DNS, marking the first time a new key has been generated since 2010, when the first key (KSK-2010) was generated.

The generation of this new key is the result of a great deal of planning and outreach to assure that network operators are ready for the “key roll” on 11 October 2017*, when the new key will be put to use.

This effort to change the keys began with a community design team, which met from March 2015 to October 2016. The team’s recommendations were posted on March 2016. Based upon those recommendations, ICANN’s final plans were posted a few months later (July 2016).

For more than a year, the ICANN organization has engaged in a comprehensive outreach campaign to help prepare the industry for the October rollover from KSK-2010 to KSK-2017. This campaign is ongoing, with our efforts increasing as the rollover date approaches.

The organization has also requested that government regulators across the globe assist in making certain that network operators in their respective countries are ready for the key roll.

For details on the KSK rollover project, please visit our dedicated Root Zone KSK Rollover webpage.

* Updated on 27 September: The key roll is being delayed because some recently obtained data shows that a number of resolvers used by Internet Service Providers and Network Operators are not yet ready for the key rollover. We are tentatively hoping to reschedule the root KSK roll for the first quarter of 2018, but it will be dependent on more fully understanding the new information and mitigating as many potential failures as possible.


    adminstratos  11:19 UTC on 12 August 2018


Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."