 |
Los AngelesMay 20, 2026 /PRNewswire/ — The Internet Corporation for Assigned Names and Numbers (ICANN) today announced plans to change the trust anchor of the Domain Name System (DNS) on October 11, 2026. This change, known as a “rollover,” is a critical step in maintaining the long-term security, stability, and resilience of the DNS.
The trust anchor is formally called the Domain Name System Security Extensions (DNSSEC) Root Zone Key Signing Key (KSK). The KSK is the core cryptographic key of the DNSSEC trust anchor, used to verify the legitimacy of DNS responses and ensure they have not been tampered with during transmission. DNSSEC helps ensure that internet users receive authentic DNS data when accessing websites and online services. The rollover process will replace the current KSK with a new one to maintain robust cryptographic security protections for the global DNS.
“The trust anchor rollover is a carefully coordinated process that helps safeguard the integrity of the DNS,” said Kim Davies, Vice President of Internet Assigned Numbers Authority (IANA) Services and President of Public Technical Identifiers (PTI). “While most internet users will not notice any changes, DNS software operators should confirm before the rollover that their systems are properly configured to trust the new key.”
ICANN manages the DNS root zone through its IANA function and coordinates the rollover in collaboration with partners in the global internet community. To minimize the risk of service disruption, ICANN is publishing the new KSK in advance, giving affected operators ample time to update their systems and verify that automatic trust anchor update mechanisms are functioning correctly.
The rollover process follows a phased implementation timeline, beginning in 2024 and concluding in 2027. During this period, both the current and new KSKs remain valid, providing time for recursive resolvers—systems operated by internet service providers, enterprises, and other organizations that query and verify DNS information on behalf of users—to adopt the new trust anchor before the new KSK begins signing the root zone in October 2026 and the old key is retired in January 2027.
Operators running validating recursive resolvers, especially those that manually configure trust anchors or use legacy software, are advised to review their systems and confirm readiness for this rollover. Failure to update systems in time may result in DNS resolution failures after the rollover date.
For more information on the KSK rollover, including operational guidance and technical resources, visit ICANN KSK Rollover Information Page.