SURFnet monitors impact of Root KSK Rollover in Root Canary Project

05 JUL 2017

DNSSEC validates digital signatures in the DNS by using the Root Key Signing Key (Root KSK). During the course of 2017/2018, this key will be upgraded for the first time. SURFnet, together with five other institutions, is monitoring and analysing the impact of this upgrade as part of the Root Canary Project.

Root KSK Rollover

DNS is an essential component of the Internet's infrastructure. It converts readable information (e.g. www.example.com) into information that can be processed by computers (e.g. 93.284.216.34). DNSSEC was developed to improve the security of DNS based on the use of digital signatures. Using a key known as the Root KSK, these signatures can be used to verify the authenticity and integrity of DNS data. This key was introduced in July 2010. During the course of 2017/2018, it will be replaced by a new key during the Root KSK Rollover.

Root Canary Project

The Root Canary Project is a collaboration between SURFnet and the University of Twente, Northeastern University, NLnet Labs, RIPE NCC and ICANN. We are monitoring the impact of the Root KSK Rollover throughout the process, from the introduction of the new key in July 2017 to the removal of the old one in March 2018. We can respond quickly in the event of a problem. It is crucial that any problems during the Root KSK Rollover are identified at an early stage. This is because if something goes wrong on the DNS resolvers (which are dependent on the key to verify signatures), they can be rendered unusable for end users.

We will analyse all the measurements we perform. These results can be used by the entire Internet community for similar projects in the future.

More information