The Internet Corporation for Assigned Names and Numbers (ICANN) announced today that it will replace the trust anchor of the Domain Name System (DNS) on October 11, 2026. This change is called a "key rotation" (rollover) and is regarded as an important step to maintain the long-term security, stability and resilience of the DNS.

The official name of the trust anchor is the DNS Security Extensions (DNSSEC) root zone key signing key (KSK). This encryption key is at the core of the DNSSEC trust system and is used to verify that DNS responses have not been tampered with during transmission, helping to ensure that Internet users receive authentic and reliable DNS data when accessing websites and online services. This rotation will replace the existing key with a new KSK to continue to maintain strong encryption security protection for the global DNS system.

ICANN manages the DNS root zone through its IANA function and coordinates this trust anchor rotation in partnership with the global Internet community. ICANN stated that it will release the new KSK fully in advance so that relevant operators have enough time to update the system and check whether the automatic trust anchor update mechanism is functioning properly, thereby minimizing the risk of disruption to network services. Kim Davies, Vice President of IANA Services under ICANN and President of Public Technical Identifiers (PTI), called this trust anchor rotation "a carefully coordinated process that helps safeguard the integrity of the DNS" and reminded DNS software operators to confirm that the system is correctly configured to trust the new keys before rotation. ICANN emphasized that most ordinary Internet users will not experience significant changes in daily use, but it is crucial for operators of DNS resolution software to complete technical preparations in advance.

According to the schedule announced by ICANN, this rotation will be implemented in phases, starting in 2024 and continuing until the end of 2027. During this period, the current and next-generation KSK will remain valid simultaneously, leaving sufficient transition time for various recursive parsers. These recursive resolvers are typically operated by Internet service providers, businesses, and other organizations and are responsible for querying and validating DNS information on behalf of end users. According to the plan, the new KSK will start signing the root zone in October 2026, and the old key will be officially retired in January 2027. ICANN pointed out that this transition design aims to ensure that operators of different sizes and different technical conditions can complete the adaptation within the established window to avoid large-scale resolution failures.

ICANN specifically reminds operators of recursive resolvers with validation capabilities, especially those still using manually configured trust anchors or running older software versions, to conduct a comprehensive review of their systems as soon as possible to confirm that they are ready for this rotation. ICANN warned that if the relevant systems fail to update trust anchors in time, DNS resolution failure may occur after the rotation date, resulting in users being unable to access some websites or online services. To mitigate the above risks, operators are advised to test their automatic trust anchor update mechanism or, if necessary, manually import the new KSK to ensure that all critical steps are completed before the new key is enabled.

For more information about this KSK rollover, including operational guidelines and technical resources, ICANN has set up a dedicated page "ICANN KSK Rollover Information Page" on its official website to provide detailed instructions and supporting materials to the global DNS operation community. ICANN calls on all types of network infrastructure operators to actively pay attention to the latest announcements, participate in community collaboration, and cooperate to complete this key project that is regarded as "the next major Internet security update."