ICANN is Revoking the Old Key Signing Key This Week
If you followed the rollover to the new root zone Key Signing Key (KSK) on 11 October 2018, you might have thought the process is now complete. However, there are a few more important technical steps that need to take place before the KSK rollover is finished. One of those steps is revoking the old key, which will happen on 11 January 2019.
The root zone currently contains two KSKs: the old one (called "KSK-2010") and the new one (called "KSK-2017"). Since the rollover, only KSK-2017 is used for signing the root zone's key set, which is all the Domain Name System Security Extensions (DNSSEC) keys at the root. Now that KSK-2010 is no longer used to generate signatures, it is time to mark the key as revoked and remove it from the root zone.
Before we remove KSK-2010 from the zone altogether, we want to mark that key as revoked for all the resolvers that follow the "Automated Updates of DNSSEC Trust Anchors" standard (RFC 5011). By marking the old key as revoked, any system that uses RFC 5011 will see that KSK-2010 is no longer valid and will not trust that key in the future. The revocation mark will be visible until 22 March 2019, at which point KSK-2010 will be completely removed from the root zone forever.
The revocation will cause the size of the root zone's key set to grow slightly. The ICANN organization does not expect problems with the revocation. However, this is the first time a KSK in the Domain Name System (DNS) root has been revoked, so the ICANN org and the DNS technical community will be watching carefully for at least 48 hours after the publication of the revoked KSK-2010.
The ICANN org strongly encourages vendors no longer ship KSK-2010 in their products. Similarly, anyone who is maintaining their list of DNS root trust anchors by hand should remove KSK-2010 from their configurations.
We will report any significant issues that we see on the firstname.lastname@example.org mailing list, our normal place for communicating about the KSK rollover.