# Heads up, the DNSSEC key (KSK) rollover for the root zone is scheduled to happen on October, 11



## obsigna (Oct 4, 2018)

See: https://www.icann.org/resources/pages/ksk-rollover

This may affect everybody who runs a recursive resolver. In case only the old key (id 19036) is present, DNS requests to the root zone would fail starting on said date. Our resolvers need to know the new key (id 20326) as well.

I cannot tell anything for Bind. For Unbound, we may want to check, that in unbound.conf(5) the setting auto-trust-anchor-file is defined - here it is:

```
...
auto-trust-anchor-file: /var/unbound/root.key
...
```

And in addition, that /var/unbound/root.key really lists both keys as valid, i.e. the new and the old one:

```
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1538658969 ;;Thu Oct  4 10:16:09 2018
;;last_success: 1538658969 ;;Thu Oct  4 10:16:09 2018
;;next_probe_time: 1538698557 ;;Thu Oct  4 21:15:57 2018
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.    172800    IN    DNSKEY    257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1511246394 ;;Tue Nov 21 04:39:54 2017
.    172800    IN    DNSKEY    257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1508640056 ;;Sun Oct 22 00:40:56 2017
```


----------



## ShelLuser (Oct 4, 2018)

This is one of the reasons why I keep DNSSEC disabled on my servers; a small misconfiguration or oversight (such as an expired key) on a remote server can easily disrupt your resolving or render a locally signed domain invalid. In my opinion the possible pro's don't outweigh the con's.


----------

