Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Trending KB Articles


# 5729 - Steps to update the new Root Zone KSK key to prevent potential DNS resolution issues

In 2016, the Internet Corporation for Assigned Names and Numbers (ICANN) announced a two-year execution plan for rolling over the Root Zone Domain Name System Security Extensions (DNSSEC) KSK key.


According to that plan, on October 11, 2017, a new KSK key (KSK-2017) was added to sign the Root Zone DNSKEY resource record set. 


The Board of Directors for the ICANN has approved the plans for the root KSK rollover on October 11, 2018, at 4 PM UTC which was successfully implemented.


On January 11,2019 the old KSK key (KSK-2010) will be marked as revoked. By marking the old key as revoked, any system that uses RFC 5011 will see that KSK-2010 is no longer valid and will not trust that key in the future. The revocation mark will be visible until 22 March 2019, at which point KSK-2010 will be completely removed from the root zone forever.


Since only the KSK-2017 key is used for signing the root zone's key set starting October 11, 2018, no DNS service impact is expected.


Rolling over the KSK key means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers. This includes: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.


Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve DNS queries, which would lead to an outage.


Currently, Infoblox NIOS does not support the “Automated Updates of DNS Security (DNSSEC) Trust Anchors” feature (RFC-5011) which would automatically update the key. Therefore, the new Root Zone KSK key must be added in one of two ways: either manually or through the provided hotfix binary.


Please refer to Infoblox Support KB # 5729 for the steps to update the new Root Zone KSK key to prevent potential DNS resolution issues.

Showing results for 
Search instead for 
Did you mean: