▶
What is a KSK Rollover?
The root trust anchor is changing, and validating resolvers need to be ready.
A KSK rollover is the process of replacing the root Key Signing Key with a new one — the cryptographic key at the top of the DNSSEC chain of trust.
When this happens, the corresponding trust anchor must be updated in validating resolvers and software.
This is a planned and carefully coordinated process. We’ve done this once before, in 2018, but doing it successfully relied on a lot of people monitoring and checking their configurations.
If the trust anchor is updated, and validating resolvers haven’t updated their systems with the new key, DNSSEC-enabled domains will fail to resolve.
Ensuring everyone is up to date helps ensure continued, reliable DNS validation.
