ICANN: DNS root zone replacement key may be resolved next month

The Internet Corporation for Assigned Names and Numbers has now used multiple languages to issue problems that may occur during the rotation of the Root Zone Key Signing Key.

Key Signing Key Abbreviation KSK refers to the use of a key to sign all keys in the root zone. Rotation means that a particular root zone will enable a new KSK signing key.

Due to changes in the recursiveness of the global DNS system during the rotation signature, it may eventually lead to the inability to resolve a small number of Internet domain names.

DNS root zone

Image: By Lion Kimbro [Public domain], from Wikimedia Commons

Root zone KSK rotation definition:

As early as 2010, ICANN began to use DNSSEC to sign the root zone. DNSSEC ensures that the data recorded by the server has not tampered.

The signature of the DNS root zone includes the following two types: a domain signature key ZSK for signing the root zone master data and a KSK for signing the root zone key set of the root zone.

ZSK is usually updated every three months to ensure data security. Each new ZSK is signed by a long-term valid KSK to provide that ZSK is valid.

The rotation occurs when the key signing key, i.e. the KSK, needs to be changed, and the original KSK will be deactivated during the rotation to re-sign the ZSK.

Why do you want to perform KSK rotation:

The purpose of the KSK rotation is to ensure that the global DNS system operates safely. DNS resolution servers that do not support DNSSEC encryption will not work.

New KSK key signatures are available to more than 99% of DNS servers after a rotation, so DNSSEC-enabled parsers have little impact.

Servers that have not supported DNSSEC encryption after this KSK rotation may not be able to resolve perfectly because they cannot obtain a new key.

What impact might it have on ordinary users:

The time for this KSK rotation is October 11th, 2018. The time for the specific rotation has not yet been confirmed yet to be confirmed.

If the user is using a DNS resolution server that does not support DNSSEC during rotation, then no sites will be resolved from the beginning of the rotation.

Both web pages and application usage may be affected, and if DNSSEC’s DNS resolver is used, smooth transitions will have no effect.

Via: ICANN