DNSSEC Root Zone Key Signing Key Recommendations published by ICANN
ICANN has published a report with a set of recommendations for changing the DNSSEC root zone Key Signing Key (KSK). As explained by ICANN, the process of changing the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties including Internet service and other DNS resolver operators, DNS resolver software developers, integrators, and distributors. The KSK is used to cryptographically sign the Zone Signing Key, which is used to sign the root zone of the Domain Name System. Obtaining the new key is essential to ensuring DNSSEC-signed domain names continue to validate following the rollover.