WHOIS Mi LACNIC
Su dirección IP es / Your IP address is: 

DNS Root Zone KSK Rollover

In October 2017, ICANN is planning to roll, or change, the "top" pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK (Key Signing Key). This will be the first time the KSK has been changed since it was initially generated in 2010. It is an important security step, in much the same way that regularly changing passwords is considered good practice by any Internet user.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to all DNSSEC-validating resolvers globally. This will be a significant change as every Internet query using DNSSEC depends on the root zone KSK to validate the destination.

Once the new keys have been generated, network operators performing DNSSEC validation will need to update their systems with the new key so that when a user attempts to visit a website, it can validate it against the new KSK.

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover.

Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

Who needs to take action?

Network operators using DNSSEC-validating resolvers must update their systems with the new KSK to help ensure trouble-free Internet access for users.

In either case, it is worth checking and testing systems prior to the KSK rollover to confirm what action will be required. ICANN is providing a free testbed for operators to help you determine whether your systems can handle automated updates correctly. LACNIC will be contacting all its Members to advise of the KSK rollover, and provide information and resources to assist Members in taking appropriate action.

For more information:

Top CHK_LACNIC