Verisign has made available their paper analysing the KSK Root Rollover last year. Titled Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover, it provides an in-depth analysis of events occurring before, during and after the 2018 KSK rollover from multiple perspectives, to include that of root operators, resolver operators and end users.
It was the first-ever rollover of the cryptographic key, which plays a critical role in securing internet traffic worldwide. The ultimate success Verisign note of that endeavour was due in large part to outreach efforts by ICANN and Verisign which, when coupled with the tireless efforts of the global internet measurement community, ensured that this significant event did not disrupt internet name resolution functions for billions of end users.
A post on the Verisign blog notes that within any encryption protocol, it’s important to occasionally update cryptographic keys. In more discrete encryption environments, this process can be relatively simple, but in the case of DNSSEC, the sheer scale of the DNS – as well as the critical global importance of the DNS infrastructure and the tens of millions of globally distributed parties that rely on it – made this key rollover uniquely challenging.
Verisign note that they and others in the DNS community continue to study the successes and unexpected effects of the rollover (some of which were discussed in a blog post published earlier this year), with the goal of applying these insights to future rollovers.
To read the post on the Verisign blog in full, or to download the paper, go to: https://blog.verisign.com/security/recognizing-lessons-learned-from-the-first-dnssec-key-rollover-a-year-later/
ICANN has also published a Review of the 2018 DNSSEC KSK Rollover here [pdf].
The conference presentation, Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover is available to download, abstract and paper, here.