Upcoming change to an important security configuration parameter related to the root zone

20/09/2017

An upcoming change to an important security configuration parameter related to the root zone, is
scheduled to take place on 11 October 2017.

The root zone is digitally signed using a security protocol called DNS Security Extensions
(DNSSEC), which adds a layer of trust on top of the DNS by providing a way to authenticate DNS
data. DNSSEC enables network operators to protect their users from a form of malicious attack known
as “cache poisoning,” that could redirect their users’ traffic to an incorrect website to, for
example, steal passwords or financial information. DNSSEC deployment is optional and not all
network operators have enabled it, but operators who have deployed it could be affected by the
upcoming change.

The DNS is organized in a hierarchy and ICANN manages changes to the top-most level of the
DNS. ICANN also manages the top-most cryptographic key in the DNSSEC protocol, known as the root
zone key signing key, or KSK. On 11 October 2017, ICANN will change this key, in a process called a
key rollover. This is the first time the key will be changed since DNSSEC was enabled in 2010.

This change must be widely and carefully coordinated with network operators that have enabled
DNSSEC to ensure that the rollover does not interfere with normal operations.

It is important that Internet service providers or network operators that has enabled DNSSEC
validation updates their systems with the new KSK. If an operator fails to update systems with the
new KSK, end users could encounter errors when looking up any domain name and thus, be unable to
access the Internet on 11 October 2017.