[Ssr2-review] KSK Rollover

Russ Housley housley at vigilsec.com
Mon Oct 15 20:05:54 UTC 2018

See the attached excerpt from the recent communication.


> From: ICANN NA <icann.communications at communications.icann.org>
> Subject: Read about the smooth KSK Rollover, get ready for ICANN63 and get the latest news about ICANN!
> Date: October 15, 2018 at 3:50:57 PM EDT
> To: housley at vigilsec.com
> Reply-To: icann.communications at communications.icann.org
>  <>
> Smooth KSK Rollover with Minimal User Impact 
> As many of you may know, the rollover of the DNSSEC Key Signing Key (KSK) occurred on 11 October 2018. Because of the large amount of preparation by the ICANN organization and many of ICANN's communities, the KSK rollover went quite smoothly. ICANN is grateful to all the people who made this event go well.
> As expected, a small number of resolvers were not ready for the rollover. To the best of ICANN's knowledge, those resolvers were able to fix their immediate DNSSEC problems and resume their DNS service quickly.
> The next step in the rollover process is to revoke the old KSK; this will happen on 11 January 2019. That step is not expected to affect any resolvers because the old KSK is not being used to sign the root zone any more. After that, the final steps of the process will remove the revoked keys from the trust anchors files and from the hardware security modules (HSMs) in ICANN's secure facilities later in 2019.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20181015/a0ded5f7/attachment.html>

More information about the Ssr2-review mailing list