The DNSSEC root key is changing to a new key
Issue
ICANN is planning to perform a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement
The Key Signing Key(KSK) or DNSSEC root key, is changing to a new key and this key is required to be hard coded in the DNS software supporting DNSSEC. For RHEL customers that means the bind and unbound packages in scenarios where you are providing DNSSEC-validating name resolution services in your environment.
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
Maintaining an up-to-date DNSSEC root key is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone DNSSEC root key will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.
ICANN has created an informational video on Preparing Your Systems for the Root KSK Rollover
Environment
-
Red Hat Enterprise Linux 7
- bind
- unbound
-
Red Hat Enterprise Linux 6
- bind
- unbound
-
Red Hat Enterprise Linux 5
- bind97
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.