Security Blog

DNSSEC : ICANN scheduled Root Zone KSK Rollover on 11 October 2018

Release Date: 04 / 10 / 2018
Last Update: 04 / 10 / 2018

Domain Name System (DNS) is one of the most critical and common network infrastructure, almost every network application need to use DNS to convert the hostname to IP address, for executing the subsequent network activities.


DNS Security Extensions (DNSSEC) is a security extension protocol which based on the existing DNS infrastructure. By employing digital signature technology, DNSSEC can verify the sources and Resource Records of all level DNS nameservers during DNS query process. DNSSEC not only can enhance the security of DNS and entire network infrastructure, but also can prevent different kinds of DNS attacks (such as DNS Poisoning and Spoofing).


In order to strengthen the security of DNSSEC, performing Key Rollover on a regular basis is a critical duty.  Internet Corporation for Assigned Names and Numbers (“ICANN”) currently scheduled the Root Zone Key Signing Key (KSK) rollover on 11 October 2018. To confirm DNS resolvers can finish resolution successfully when the Root Zone KSK rollover occurs, if you operate a DNS resolver with DNSSEC validation enabled, we strongly encourage you to update your DNS resolver and to have the new Root Zone KSK configured as a trust anchor. At the same time, if the public users unable to browser the sites on/after 11 October 2018, please contact your DNS resolver providers, or configure your computer to use the secure DNS service.


Checking the Current Trust Anchors in DNS Validating Resolvers – For ISP, DNS administrator and technical team


To configure your Windows PC to use the secure DNS service – For home users


For more details about DNSSEC Root Zone KSK Rollover, please refer to the below announcement from Hong Kong Internet Registration Corporation Limited(“HKIRC”):



We are writing to inform you of the schedule of root zone key signing key (“KSK”) change to be conducted by The Internet Corporation for Assigned Names and Numbers (“ICANN”) in October 2018. ICANN is an accountable and independent global organization striving to ensure a stable and secure global Internet by managing the highest level of the domain name system (DNS) called the root zone.  If you manage DNSSEC-enabled resolvers for KSK validation, kindly please inform your DNS administrator and technical team to take action and upgrade your system accordingly to ensure smooth Internet access for users.


Back in 2017, ICANN announced the plan to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (“DNSSEC”) protocol, commonly known as the root zone key signing key (“KSK”). As every Internet query using DNSSEC depends on the root zone KSK for validating destination, this will be a significant change. Operators of validating resolvers, especially ISPs, shall update their systems with the new key before the rollover takes place. This ensures that when users attempt to visit a website, the resolver would be able to validate queries against the new KSK. ICANN has scheduled the KSK rollover on 11 October 2018. 

This is the first time of changing root zone KSK ever since DNSSEC has been enabled in 2010. If you have enabled DNSSEC validation, you must update your system with the new KSK to ensure smooth Internet access for users. Please refer to ICANN’s Quick Guide below for an overview and key milestones:


Changing the key involves generating a new cryptographic key pair and distributing the new public component to DNSSEC-validating resolvers. ICANN generated and published the new keys on 11 July 2017. Operators should update at any time prior to the rollover using the new root KSK. However, if you have NOT enabled DNSSEC, your system will not be affected by this rollover.


HKIRC urges all concerned parties to take immediate action on checking whether the systems are ready for the new KSK updates and install the new KSK accordingly.


ICANN has published several guides addressing KSK rollover. Operators of validating resolvers may find the references below useful:


Checking the Current Trust Anchors in DNS Validating Resolvers


Updating of DNS Validating Resolvers with the Latest Trust Anchor


What To Expect During the Root KSK Rollover


For more details of the Root Zone KSK rollover, please visit


If you have any questions, please contact us at [email protected] or +852 2319 2303.


Thank you for your attention.




Hong Kong Internet Registration Corporation Limited