OTTAWA – The Canadian Internet Registration Authority (CIRA) has issued an alert to the country’s Internet service providers advising them to be prepared for Thursday’s root Key Signing Key (KSK) rollover performed by the Internet Corporation for Assigned Names and Numbers (ICANN).
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, reads the advisory. If those affected have improperly set up their recursive name servers, validate DNSSEC or the user wants to access a DNSSEC signed zone, it will not function. This means some users will lose access to the internet and it’s difficult to know who until the rollover takes place, however, the problem can be fixed once it has been identified.
Other than ISPs, the move may also affect enterprise network administrators, DNS resolver operators and software developers, system integrators, and hardware and software distributors who install or ship the root’s “trust anchor”.
“We are confident the rollover will go well. Nevertheless, CIRA recommends that everyone who runs one or more DNSSEC-validating resolver double-check their readiness,” said CIRA’s chief technology officer Jacques Latour. “October 11th is the rollover date, so users should also be on the lookout that day for DNS problems.”
DNS Operators can check their configuration to ensure that it is set up properly for the new key via the self-test page available here.
For more information about how to prepare for the root zone KSK roll over visit: https://www.icann.org/resources/pages/ksk-rollover or read this blog by SIDN.nl
