DNSSEC Root Zone Key Signing Key (KSK) Rollover

What is it?

The KSK is a public-private key pair that allows the DNSSEC protocol to secure your DNS information. The public part of the key is the starting point for DNSSEC queries similar to how the root servers are the starting point for DNS queries. The private part of the key is used by Verisign to sign the Zone Signing Keys in the DNSSEC-sign of the root zone.

What does that mean?

If you’re not using DNSSEC then you don’t have anything to worry about. DNSSEC is a additional security measure that can be taken to secure your DNS information and verify that your domain is actually yours. If you’re not sure that you’re using DNSSEC then you likely are not using it. You could ask whomever is responsible for your DNS to find out for sure.

If you are using DNSSEC then you will need to create a new key pair and retire your current key pair so that DNSSEC will keep functioning. This will be done automatically for you if you are supporting RFC5011 (https://tools.ietf.org/html/rfc5011). Otherwise, you will need to manually update the trust anchor at http://data.iana.org/root-anchors/ and you can find information about testing your configuration at https://www.icann.org/en/system/files/files/ksk-rollover-external-test-plan-22jul16-en.pdf

MxToolbox Resources


MxToolbox has all the DNS and DNSSEC tools you need to help you through this transition.  We have everything from basic DNS lookups, to DNSKEY, NSEC and IPSECKEY lookups to comprehensive domain research tools, like Investigator.  You can even validate your DNS Cert or HTTPS Certificate.  All of these tools are easily accessible from

our Network Tools page (see image).

Additional Resources: