[ksk-rollover] What KSK rollover methodology will be used today?

Matt Larson matt.larson at icann.org
Thu Oct 11 10:57:12 UTC 2018

On Oct 11, 2018, at 9:15 AM, Suhayb Alghutaymil via ksk-rollover <ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>> wrote:

Does anyone know what is the method for changing the KSK rollover today? I have tried to look for it in ICNN documents but I unfortunately I could not find it.

I'm not sure I understand your question about methodology. At 1600 UTC today, 11 October (or shortly thereafter), a root zone will be published with only the "new" KSK (called KSK-2017) signing the root zone's apex DNSKEY RRset. Currently the root zone's apex DNSKEY RRset is signed only with the soon-to-be "old" KSK (called KSK-2010). The publication of this root zone implements the root KSK rollover.

Also I would appreciate it if someone can send a link for ZSK/KSK rollover future timeline for root zone.

There is currently no timeline for future KSK rollovers. We need to get through the first KSK rollover first. :-)

In the future, we expect a lively discussion among the DNS technical community about this topic.


Matt Larson, VP of Research
ICANN Office of the CTO

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20181011/ae70ddd8/attachment.html>

More information about the ksk-rollover mailing list