Skip to content

PowerDNS and the ICANN KSK roll

Oct 8, 2018 6:00:00 AM

The root KSK rollover is currently planned for 1600 UTC on the 11th of October 2018 – a few days from now. If you are using PowerDNS Recursor for DNSSEC validation, please keep reading!

During the KSK rollover, the root zone will stop using the old root Key Signing Key, known as KSK-2010 or 19036, and will start using the new Key Signing Key, known as KSK-2017 or 20326. Your Recursor needs to be aware of both keys to make sure validation keeps working after the rollover event.

If you are running Recursor 4.0.5 or up, both keys come preconfigured. If you are running an older 4.0.x version, it is possible your distribution has added the key for you.

In case of any doubt, verify you are ready:

# rec_control --socket-dir=. get-tas
Configured Trust Anchors:
.
19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d

The output should have both the 19036 and 20326 lines. If 20326 is missing, please upgrade your Recursor. If for some reason upgrading is not feasible for you right now, please follow the PowerDNS Recursor instructions that ICANN published. Those instructions involve a restart; if you want to avoid a restart this week, please see Runtime Configuration of Trust Anchors in the PowerDNS documentation.

In case of panic (in the unlikely event ICANN botches the roll, or the roll finds a bug in our software), you can run rec_control add-nta . DNSSEC on root is broken to disable DNSSEC immediately without restarting your daemon.

Should you have any trouble: if you are a supported customer, please reach out through the usual channels. Otherwise, contact us via our community channels.

Back to overview

Related Articles