1. Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015

2. | 2  Where are we today  Roll (change) the Root Key Signing Key (KSK)  Getting to a plan Agenda

3. | 3  Root Zone KSK (Key Signing Key)  The trust anchor in the DNSSEC hierarchy  Has been in operation since June 2010  Root Zone Partners  ICANN  Verisign  USG Dept of Commerce NTIA  "After 5 years of operation"  Created Design Team to propose plan for rollover of root KSK  Target for delivery of plan in fall of 2015 Where are we today

4. | 4 Design Team Members  Volunteer Team Members  Joe Abley  John Dickinson  Ondrej Sury  Yoshiro Yoneya  Jaap Akkerhuis  Geoff Huston  Paul Wouters  Root Zone Partners

5. | 5 What is …  KSK  Key-Signing Key signs DNSKEY RR set  Root Zone KSK  Public key in DNS Validator Trust Anchor sets  Copied everywhere - "configuration data"  Private key used only inside Hardware Security Module (HSM)  Impact of root KSK rollover  Large impact on those validating  A new root KSK has to be updated everywhere  Other KSK rolls inform the parent (or DLV)  Mitigated by RFC5011's trust anchor management

6. | 6 Planning Approach  Current Volunteer Design Team  Study, discussion through July  Present draft report for ICANN Public Comment  https://www.icann.org/public-comments/root- ksk-2015-08-06-en  Present final report ~ one month after Public Comment Period closes

7. | 7 Feedback Welcome  Input to the Public Comment  https://www.icann.org/public-comments/root- ksk-2015-08-06-en  Input to Design Team Members  Input during Q&A after Geoff’s presentation

8. | 8 Thank you!