My thoughts on Root KSK Rollover

The DNS root zone is the top-level DNS zone in the hierarchical namespace of the Domain Name System (DNS) of the Internet. The KSK is a cryptographic public-private key pair that plays an important role in the Domain NameSystem Security Extensions (DNSSEC) protocol. The public portion of the key pair serves as the trusted starting point for DNSSEC validation, similar to how the root zone serves as the starting point for DNS resolution. The private portion of the KSK is used during the Root KSK Ceremonies to sign the Zone Signing Keys used by Verisign to DNSSEC-sign the root zone.

As many of you might be aware I was part of the original Root DNSSEC Design team which designed and executed Root DNSSEC project. I have carried the Ceremony Administrator role for the KSK Ceremony 1 in which current Root DNSSEC KSK was created. I have left iCANN in October 2013 and since then i have been closely observing ICANN Root KSK operations as an external DNS geek.

After reading several tweets and articles regarding feedback from security experts I wanted to take a moment and share my thoughts with the community. I am not claiming to be an expert on anything and I truly respect those who voiced their concerns. Having said that I have gone thru every document published regarding Root KSK rollover. I am truly impressed by the due diligence and transparency the team working on Root KSK Rollover has shown and I have utmost confidence in their excellent work.

Root DNSSEC Ceremony 1 - Mehmet Akcin & Dan Kaminsky

To conclude, I would like to express that I support the decision on following the current plan and rolling Root KSK on 11 October 2018. I also would like to be the first one to congratulate the team involved for their their hard work and dedication to keep DNS Root Zone secure.

Root KSK Rollover Resources:


14271 Jeffrey Road #349

Irvine, CA 92620

  • LinkedIn Social Icon
  • Facebook
  • Twitter
  • YouTube