U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

DNSSEC Key Signing Key Rollover

Original release date: September 27, 2018 | Last revised: September 28, 2018

On October 11, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the Domain Name System (DNS) Security Extensions (DNSSEC) protocol.

DNSSEC is a set of protocol extensions used to digitally sign DNS information, an important part of preventing domain name hijacking. Updating DNSSEC KSK is a crucial security step in ensuring DNSSEC-validating DNS resolvers continue to function after the rollover. While DNSSEC validation is mandatory for federal agencies, it is not required of the private sector. Organizations that do not use DNSSEC validation will be unaffected by the rollover.

NCCIC encourages administrators to update their DNSSEC KSK before October 11, 2018. See the National Institute of Standards and Technology/National Telecommunications and Information Administration Roll Ready site and the ICANN Root Zone KSK Rollover resources page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top