The internet’s most critical cryptographic operation is underway: the rollover of the DNSSEC Key Signing Key (KSK) for the DNS root zone. If your resolvers aren’t ready, DNSSEC validation will break — and your users won’t be able to resolve DNS queries.
What Is the KSK?
The KSK is the cryptographic trust anchor at the very top of the DNSSEC chain. Every DNSSEC-validated query — from .com to yoursite.com — ultimately chains back to this single key. It’s the root of trust for the entire DNSSEC ecosystem. If you use a DNS hosting provider that supports DNSSEC, the trust anchor management is handled for you.
Rollover Timeline
- April 2024 — New key (KSK-2024) generated at ICANN’s key ceremonies.
- January 11, 2025 — New key pre-published in the root zone. Resolvers using RFC 5011 automated trust anchor management begin trusting it.
- October 11, 2026 — KSK-2024 begins signing the root zone (the actual switchover).
- January 11, 2027 — Old key (KSK-2017) is revoked.
What Could Go Wrong
The last rollover in 2018 was delayed by years due to concerns about broken resolvers. If a resolver doesn’t have the new trust anchor when the rollover happens:
- DNSSEC validation fails for all queries
- The resolver returns SERVFAIL for every lookup
- Users experience a total DNS outage
What You Should Do Now
- Check your trust anchors — Run
dig . DNSKEYand verify you see both the old and new KSK. - Enable RFC 5011 — If your resolver supports automated trust anchor updates, enable it.
- Update manually if needed — Download the new trust anchor from IANA and configure it in your resolver.
- Test before October 2026 — Validate that your infrastructure will survive the rollover. Managed DNS providers like HostDNS handle this automatically.
Sources: Verisign Blog, ICANN KSK Rollover