Purpose: This Public Comment seeks public review of the plan to roll the root key signing key (KSK). The plan includes more publicity about being prepared for the rollover, analysis of the data being seen indicating the level of preparedness, and the actual rollover itself on 11 October 2018.
Current Status: The technical community discussed possible ways to determine when to roll the root KSK on the email@example.com mailing list, and ICANN used that discussion as the basis for this plan.
Next Steps: ICANN organization will prepare a final plan that bases on the input from the public comments and present a full plan to the ICANN Board for approval.
Section I: Description and Explanation
The Plan for Continuing the Root KSK Rollover (https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf [PDF, 93 KB]) describes how ICANN intends to roll the root key signing key (KSK). It is based on input from the community that followed ICANN's earlier decision to postpone the rollover. In summary, the plan is to roll the root KSK on 11 October 2018 after more publicity that is intended to help prepare operators for the rollover and making more data about the preparedness available.
Section II: Background
In 2009, the Root Zone Management partners (ICANN and Verisign, also called the “RZM partners”) collaborated to deploy Domain Name System Security Extensions (DNSSEC) in the root zone, which culminated in the first publication of a validated signed root zone in July 2010. That signature was based on a key signing key (KSK) that is maintained securely by ICANN. It was later agreed that “Each [root zone] KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation.”
In December 2014, ICANN solicited volunteers from the community to participate with the RZM Partners in a Design Team to develop the Root Zone KSK Rollover Plan. That plan was put out for public comment on 6 August 2015, and was published on 7 March 2016.
On 27 September 2017, ICANN announced that the plan to change the cryptographic key that helps protect the Domain Name System (DNS) is being postponed. On 18 December 2017, ICANN began collecting comment from the community about the acceptable criteria for proceeding with the KSK rollover. The result of that discussion on the firstname.lastname@example.org mailing list is the plan that is now open for comment.
Section III: Relevant Resources
Plan for Continuing the Root KSK Rollover: https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf [PDF, 93 KB]
Section IV: Additional Information
- Root Zone KSK Rollover: https://www.icann.org/resources/pages/ksk-rollover
- Root Zone KSK Rollover Plan: https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf [PDF, 1.19 MB]
- KSK Rollover Postponed: https://www.icann.org/news/announcement-2017-09-27-en
- Update on the Root KSK Rollover Project: https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project