The Key Signing Key (KSK) is the root of the DNSSEC trust chain. It verifies that DNS responses — the lookups translating website addresses into IP addresses — are legitimate and have not been intercepted or modified in transit. Replacing it is periodic security maintenance, but one that requires coordinated action across the global DNS operator community.
The phased rollover began in 2024 and runs through 2027. During this window both the current and the new KSK remain valid, giving internet service providers, enterprises, and others running validating recursive resolvers time to update their configurations before the new key begins signing the DNS root zone in October and the old key retires in January 2027.
For most organisations the update is transparent. Resolvers running current software with automated trust anchor update mechanisms need no manual intervention. The risk is with older or manually configured systems. Operators running validating recursive resolvers with manually set trust anchors need to verify their configurations before October; unresolved misconfigurations may cause DNS resolution failures after the rollover date.
Kim Davies, Vice President of IANA Services and President of Public Technical Identifiers at ICANN, said: "The trust anchor rollover is a carefully coordinated process that helps safeguard the integrity of the DNS. While most Internet users will not notice any change, operators of DNS software should confirm that their systems are properly configured to trust the new key ahead of the rollover."
ICANN manages the DNS root zone and coordinates the rollover with partners across the global internet community. Technical resources and operational guidance are available on the ICANN KSK Rollover information page.
To stay across the latest in cloud, AI and enterprise tech analysis from Compare the Cloud, subscribe to our weekly newsletter at https://www.comparethecloud.net/newsletter
