AI

SAC063 - SSAC Advisory on DNSSEC Key Rollover in the Root Zone

Abstract

There is consensus in the security and domain name system (DNS) communities that the root zone DNS Security Extensions (DNSSEC) system poses unique challenges for standard DNSSEC practices. While there is agreement that an eventual root zone Key-Signing Key (KSK) rollover is inevitable regardless of whether that rollover is caused by a key compromise or other factors, there is no solid consensus in the technical community regarding the frequency of routine, scheduled KSK rollovers. In this Advisory the SSAC addresses the following topics:

  • Terminology and definitions relating to DNSSEC key rollover in the root zone;
  • Key management in the root zone;
  • Motivations for root zone KSK rollover;
  • Risks associated with root zone KSK rollover;
  • Available mechanisms for root zone KSK rollover;
  • DNS response size considerations;
  • Quantifying the risk of failed trust anchor update; and
  • DNS response size considerations