Schedule announced for next KSK key generation

Kim Davies kim.davies at
Tue Mar 7 17:15:58 UTC 2023

ICANN has announced the planned schedule for the next Root Zone KSK
generation, namely during the next KSK ceremony scheduled for 27 April

The full announcement is at
<> with the full
text below:

The Internet Corporation for Assigned Names and Numbers (ICANN) is
pleased to announce that the Internet Assigned Numbers Authority (IANA)
will generate a new root zone key signing key (KSK) used by the Domain
Name System Security Extensions (DNSSEC). DNSSEC ensures that the
information received from the DNS about a domain name is authentic. It
helps make the Internet safer for its billions of users.

Generation of the new key is planned to occur during the 49th KSK
Ceremony on 27 April 2023. The key will be replicated to an alternate
facility in the third quarter of 2023. IANA plans to pre-publish the key
in the DNS, starting in January 2024. It will be held in standby for
about two years, during which ICANN will conduct an extensive outreach
campaign to ensure a seamless transition to the new key for the global
Internet community.

The first time a key changed, an event referred to as
a rollover, was in 2018, following several years of
consultation, design, and testing. To learn more, click here
<>. This rollover was
considered a success, and this generation of a new key is the first step
in the next iteration of that plan.

The security and stability of the DNS requires the capability to change
keys. Rollovers of the root KSK, which is the process of replacing
one key with another, exercise these mechanisms to ensure ongoing
operational readiness.

The new key will use the same cryptographic algorithm
and key size that is used currently. A separate project
<> is
underway to design the process for changing the algorithm used to sign
the root zone which will inform future changes in this area.

You can subscribe to the ksk-rollover mailing list
<> to join the public
discussions related to changing the root key signing key.

More information about the root-dnssec-announce mailing list