Purpose: This public comment proceeding seeks to review the Design Team’s findings to date related to issues and plans for changing the cryptographic key used to originate the DNSSEC chain of trust.
Current Status: The Design Team has generated a preliminary report and will accept wider review.
Next Steps: After the public comment proceeding, the Design Team will finalize its report and plan for changing the cryptographic key.
Section I: Description and Explanation
A design team consisting of seven independent DNS experts has produced a report examining previously proposed schemes for changing the DNSSEC root zone KSK, along with considerations related to Internet realities, in preparation for finalizing plans to change the current Root Zone KSK.
Section II: Background
In 2010, the Root Zone Management Partners (ICANN, Verisign, and NTIA) introduced the DNS Security Extensions to the operational root zone. After five years of operation, there is a requirement to change the top most cryptographic key in the hierarchy, the key called the Root Zone Key Signing Key. The challenge is to ensure that all copies of the publicly distributed key are updated to prevent disruption to DNSSEC protection of the DNS.