ICANN has announced its plan to proceed with the DNSSEC KSK Roll on 11 October 2018, which will result in KSK-2017 replacing KSK-2010. This change is part of ICANN’s security best practice in managing the Root Key for the DNSSEC infrastructure.
The new KSK-2017 has already been published in the root (.) zone since July 2017.It is important for any operator who is maintaining or providing a DNS Resolution service to make sure that their resolvers have the appropriate trusted key. This is to ensure that DNSSEC-signed domain names continue to be validated following the rollover. Failure to ensure the configuration of the proper root key will break DNSSEC validation.
There are two ways to update your DNS Resolver configuration
(1) using automatic updates: RFC 5011-enabled resolvers will automatically update the trusted root key at the appropriate time
(2) manually: operators should download the new key and configure their resolvers manually, this should be done before 11 October 2018.
It is also important for to make sure that any embedded DNSSEC validating software has the appropriate key before the new KSK-2017 is put in usage.
AFRINIC has published two blog posts on the topic:DNSSEC New Root Zone KSK appears on the DNS<https://www.afrinic.net/blog/265-dnssec-new-root-zone-ksk-appears-on-the-dns>
Watch Out for the DNSSEC Rollover this October<https://www.afrinic.net/blog/357-11-october-2018-dnssec-ksk-rollover-flag-day
If you have any questions or require clarification on the subject, send an email to <globalsupport[at]icann[dot]org> with “KSK Rollover” in the subject line. Alternatively, you can contact AFRINIC on <dnssec-ops[at]afrinic[dot]net>.