ICANN Resolutions » KSK Roll Current Status

Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

KSK Roll Current Status

Resolution of the ICANN Board
Meeting Date: 
周六, 23 九月 2017
Resolution Number: 
Resolution Text: 

Whereas, the Root Zone KSK (Key Signing Key) Operator DPS (DNSSEC Practice Statement) from 2010 contains this statement "Each RZ KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation."

Whereas, the technical community published in March 2016 a proposed plan to roll the DNS root KSK through a multi-step process that would last over a year.

Whereas, ICANN organization published in July 2016 an operational implementation plan for ICANN to roll the DNS root KSK through a process where each step can be observed by the community to be sure that the process was not creating unexpected problems.

Whereas, ICANN organization published in July 2016 an external test plan to allow DNS resolver operators to test their readiness for the anticipated KSK roll.

Whereas, ICANN organization published in July 2016 a back out plan detailing how major steps in the plan to roll the KSK could be reversed in case significant security, stability, or resiliency issues in the DNS were discovered.

Whereas, ICANN organization published in September 2016 a plan for monitoring the steps in the anticipated KSK roll in order to detect any anomalies that would affect the security, stability, or resiliency of the DNS.

Whereas, for over a year, ICANN organization has been educating the community about the intended plan to roll the DNS root KSK through talks at operators meetings, interviews in the press, and general social media.

Whereas, the CEO has informed the Board that most of the steps of the plan have been acted upon, that contingency plans are in place and that he will move forward so long as there are no significant observed effects on the security, stability, or resiliency of the DNS as a whole.

Resolved (2017.09.23.01-A), the ICANN organization is directed to roll the DNS root KSK as soon as is practical.

Rationale for Resolution: 

Why is the Board addressing this issue now?

The next step in the KSK roll is anticipated to happen on September 19, 2017 when the root zone grows to its largest size due to normal addition of a second ZSK (Zone Signing Key). If there is no problem with the step that adds the ZSK, the next step is anticipated to happen on October 11, 2017, when the root zone will be signed with the new KSK; this is the full KSK roll. Assuming that these steps work well and no back out is required, there are a few more minor clean-up steps planned for future months.

What is the proposal being considered?

To instruct ICANN organization to continue with the plan expressed in "2017 KSK Rollover Operational Implementation Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-operational-imp... [PDF, 741 KB]) and "2017 KSK Rollover Monitoring Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-monitoring-plan... [PDF, 480 KB]), as modified by "2017 KSK Rollover Back Out Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-back-out-plan-2... [PDF, 506 KB]) if needed.

What stakeholders or others were consulted?

Numerous technical stakeholders have been consulted for over a year. There have been detailed presentations at network operators' meetings throughout the world, at technical meetings such as IETF and DNS-OARC, and at ICANN meetings.

The design team for the proposed plan included members of the technical community from around the world, who took detailed review comments during their creation of the plan.

What significant materials did the Board review?

The Board reviewed the documents linked from the page at https://www.icann.org/kskroll. That page has been widely referenced in the presentations mentioned above.

Are there positive or negative community impacts?

The main positive community impact is proof that ICANN can successfully act on our commitments to maintain the security, stability, and resiliency of the DNS root KSK. An additional positive impact is that the technical community has shown a greater interest in the technical implementation details of ICANN's key signing ceremonies. Taking this action is in the public interest as it contributes to the commitment of the ICANN organization to strengthen the security, stability, and resiliency of the DNS.

To date, there have been no significant negative community impacts. During the future steps in the KSK roll, there may possibly be noticeable security, stability, or resiliency issues discovered with the roll process. If those issues are significant enough for ICANN to need to back out of the roll, the act of rolling back could cause different stability issues while lessening the issues from the roll. These are discussed in great detail in "2017 KSK Rollover Back Out Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-back-out-plan-2... [PDF, 506 KB]), which has been widely reviewed in the technical community.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

The next steps in the key roll are already accounted for in the operating plan and budget. It is not anticipated that the roll will cost the community or the public any money.

Are there any security, stability or resiliency issues relating to the DNS?

There are possible security, stability, or resiliency issues with rolling the root KSK if the roll exposes operational issues, but there are also significant security and resiliency issues of not rolling the root KSK. The balance between these two were considered by the technical community during the planning stages of the roll and there was strong consensus that performing the roll was warranted.