The DNSSEC root key is changing to a new key

Solution In Progress - Updated -


ICANN is planning to perform a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement

The Key Signing Key(KSK) or DNSSEC root key, is changing to a new key and this key is required to be hard coded in the DNS software supporting DNSSEC. For RHEL customers that means the bind and unbound packages in scenarios where you are providing DNSSEC-validating name resolution services in your environment.

Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.

Maintaining an up-to-date DNSSEC root key is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone DNSSEC root key will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.

ICANN has created an informational video on Preparing Your Systems for the Root KSK Rollover


  • Red Hat Enterprise Linux 7

    • bind
    • unbound
  • Red Hat Enterprise Linux 6

    • bind
    • unbound
  • Red Hat Enterprise Linux 5

    • bind97

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.