"DNS Root Zone KSK Rollover Planning" by Elise Gerich. A presentation given at the APNIC 40 APOPS 2 session on Tue 8 Sep 2015.

1. Root Zone KSK: After 5 years
Elise Gerich | APNIC 40 | September 2015

2. | 2
 Where are we today
 Roll (change) the Root Key Signing Key (KSK)
 Getting to a plan
Agenda

3. | 3
 Root Zone KSK (Key Signing Key)
 The trust anchor in the DNSSEC hierarchy
 Has been in operation since June 2010
 Root Zone Partners
 ICANN
 Verisign
 USG Dept of Commerce NTIA
 "After 5 years of operation"
 Created Design Team to propose plan for
rollover of root KSK
 Target for delivery of plan in fall of 2015
Where are we today

4. | 4
Design Team Members
 Volunteer Team Members
 Joe Abley
 John Dickinson
 Ondrej Sury
 Yoshiro Yoneya
 Jaap Akkerhuis
 Geoff Huston
 Paul Wouters
 Root Zone Partners

5. | 5
What is …
 KSK
 Key-Signing Key signs DNSKEY RR set
 Root Zone KSK
 Public key in DNS Validator Trust Anchor
sets
 Copied everywhere - "configuration
data"
 Private key used only inside Hardware
Security Module (HSM)
 Impact of root KSK rollover
 Large impact on those validating
 A new root KSK has to be updated
everywhere
 Other KSK rolls inform the parent (or DLV)

6. | 6
Planning Approach
 Current Volunteer Design Team
 Study, discussion through July
 Present draft report for ICANN Public
Comment
 https://www.icann.org/public-comments/root-
ksk-2015-08-06-en
 Present final report ~ one month after Public
Comment Period closes

7. | 7
Feedback Welcome
 Input to the Public Comment
 https://www.icann.org/public-comments/root-
ksk-2015-08-06-en
 Input to Design Team Members
 Input during Q&A after Geoff’s presentation

8. | 8
Thank you!