The Only Specialized Global Intellectual Property News Agency
A Member of Talal Abu-Ghazaleh Global

ICANN to Generate New DNS Cryptographic Key at April 2024 Ceremony

29-Feb-2024 | Source : The Internet Corporation for Assigned Names and Numbers (ICANN) | Visits : 547

LOS ANGELES - The Internet Corporation for Assigned Names and Numbers (ICANN) announced plans to generate a new root zone key signing key (KSK) used by the Domain Name System Security Extensions (DNSSEC). DNSSEC ensures that the information received from the DNS about a domain name is authentic. It helps make the Internet safer for its users, a press release stated by ICANN. 

Generating a new KSK restarts the process announced last year, which was suspended after it was identified that a supplier of key equipment used to store the KSK (known as a Hardware Security Module, or HSM) would be exiting the business during the expected lifespan of the new KSK. Throughout last year, through the Internet Assigned Numbers Authority (IANA) functions, several alternate vendors of HSMs were evaluated and a replacement was selected. An analysis of the selection and its impact accompanies this announcement.

Generating the new key is slated for 26 April 2024 as part of the 53rd KSK Ceremony. The key will be replicated to an alternate facility in the third quarter of 2024. IANA anticipates pre-publishing the key in the DNS starting in January 2025. It will be held in standby for about two years prior to being placed into production use in late 2026.

During that time, ICANN will conduct an extensive outreach campaign to enable a seamless transition to the new key for the global Internet community.

The first time a key changed, an event referred to as a rollover, was in 2018. This rollover was considered a success, and followed several years of consultation, design, and testing. The new key generated by the event this April is the first step in the next iteration of that plan.

The security and stability of the DNS requires the capability to change keys. Rollovers of the Root KSK, which is the process of replacing one key with another, help exercise these mechanisms to ensure operational readiness.

The new key will use the same cryptographic algorithm and key size that is used currently. A separate project is underway to design the process for changing the cryptographic algorithm used to sign the root zone. This will inform future changes in this area.


Related Articles