Now that ICANN adapted the Key Signing Keys (KSK) of the DNS root zone successfully on 11 October, we are embarking on the adaptation of the KSK for the .be zone on 15 November.
What is KSK?
The DNSSEC protocol was developed some years ago to prevent DNS traffic from being adapted by outsiders. This protocol works with two keys: the Zone Signing Keys (ZSK) and the Key Signing Keys( KSK). The ZSK is changed every month. The KSK has not been changed for the .be zone since 2013.
Timing
The .be KSK rollover will start on 15 November. On that day, the new KSK will be set in the .be zone alongside the old. The new KSK will thus become visible for the outside world and the waiting period will start so that every resolver will have a chance to include this new KSK in their cache.
On 22 November, we will initiate the rollover in the root zone. The actual rollover will take place when PTI, the organisation that now performs the
IANA
functions, will introduce the change in their infrastructure (the root zone). As such, the delegation will be transposed from the old to the new KSK. On 20 December the old key will be cleared and the KSK rollover will be carried out. Only the new key will be visible from that point on.
Limited impact
It is highly probable no one will notice anything of this operation. There are a number of reasons why this is so. The large Belgian Internet service providers still do not carry out any DNSSEC validation, unlike the 8.8.8.8 of Google resolver, for instance. In addition, unlike the root zone, the aim is not to have the resolvers hard code our KSK as trust anchor. If there are resolvers who have done so nonetheless, we advise them to change it. If they do not adapt their resolver, their users will no longer be able to visit any DNSSEC verified website.
For more information on DNSSEC or the ROOT KSK rollover you can contact our support department by sending an e-mail to support@dnsbelgium.be