Please read the below message from HKIRC
Subject: ALERT: Urge Action on Root Zone Key Signing Key (KSK) Change (KSK Rollover scheduled on 11 Oct 2018)
– 中文版本隨英文之後 –
We are writing to inform you of the schedule of root zone key signing key (“KSK”) change to be conducted by The Internet Corporation for Assigned Names and Numbers (“ICANN”) in October 2018. ICANN is an accountable and independent global organization striving to ensure a stable and secure global Internet by managing the highest level of the domain name system (DNS) called the root zone. Grateful if you could circulate this email to your members, and business partners so that they can inform their DNS administrators and technical teams to take action and upgrade their systems accordingly to ensure smooth Internet access for users.
Back in 2017, ICANN announced the plan to roll, or change, the “top” pair of cryptographic keys used in the Domain Name System Security Extensions (“DNSSEC”) protocol, commonly known as the root zone key signing key (“KSK”). As every Internet query using DNSSEC depends on the root zone KSK for validating destination, this will be a significant change. Operators of validating resolvers, especially ISPs, shall update their systems with the new key before the rollover takes place. This ensures that when users attempt to visit a website, the resolver would be able to validate queries against the new KSK. ICANN has scheduled the KSK rollover on 11 October 2018.
This is the first time of changing root zone KSK ever since DNSSEC has been enabled in 2010. If you have enabled DNSSEC validation, you must update your system with the new KSK to ensure smooth Internet access for users. Please refer to ICANN’s Quick Guide below for an overview and key milestones:
Changing the key involves generating a new cryptographic key pair and distributing the new public component to DNSSEC-validating resolvers. ICANN generated and published the new keys on 11 July 2017. Operators should update at any time prior to the rollover using the new root KSK. However, if you have NOT enabled DNSSEC, your system will not be affected by this rollover.
HKIRC urges all concerned parties to take immediate action on checking whether the systems are ready for the new KSK updates and install the new KSK accordingly.
ICANN has published several guides addressing KSK rollover. Operators of validating resolvers may find the references below useful:
Checking the Current Trust Anchors in DNS Validating Resolvers
Updating of DNS Validating Resolvers with the Latest Trust Anchor
What To Expect During the Root KSK Rollover
For more details of the Root Zone KSK rollover, please visit https://www.icann.org/kskroll
If you have any questions, please contact us at [email protected] or +852 2319 2303.
Thank you for your attention.
Hong Kong Internet Registration Corporation Limited
Re: 「根區域DNSSEC密鑰簽名密鑰 (KSK) 轉換將定於2018年10月11日」重要通知
香港互聯網註冊管理有限公司(“HKIRC”) 謹通知貴司互聯網名稱與數字地址分配機構 (“ICANN”) 將定於2018年10月11日進行根區域密鑰簽名密鑰轉換(
如有任何查詢，歡迎電郵 [email protected] 或致電 +852 2319 2303與我們聯絡。