[DNSSEC-Ops] KSK Rollover

Amreesh Phokeer amreesh at afrinic.net
Thu Sep 20 09:01:56 UTC 2018

Dear Tosin,

Thank you for reaching out.

> On 17 Sep 2018, at 15:03, Tosin Oludare (Coollink) <ooluwatosin at coollink.ng> wrote:
> We are an  ISP in Nigeria and member of AFRINIC,  we received an update on the impending roll over to KSK DNSEC we would like to know what we need to do on our DNS servers.
> Our DNS server runs on Bind 9 CentOS and we have pubic IPs.

You should be concerned only if you are operating a DNSSEC validating resolver and that your clients are using this resolver to do DNS resolution.
i.e. in your BIND configuration:

dnssec-validation auto;

If so, you are probably using managed-keys in bind, you can do the verification by running a RNDC managed-keys status, you would see the new key marked as ‘added’ after July 2017 publication.

After 11 October 2018:
Be on the lookout for DNSSEC validation failures when the key in use changes to the new key.

However, if you are running authoritative services with BIND, or a resolver that is not doing DNSSEC-validation, you should not see an impact.

Hope that helps.


More information about the DNSSEC-Ops mailing list