The Key signing key (KSK) rollover for DNS is now complete
After the first KSK rollover in October 2018, ICANN has finished the process and revoked the old 2010 key from the root zone.
The KSK helps protect the domain name system (DNS) and overall Internet security. This change was essential to upgrade the top pair of public and private cryptographic keys used in the domain name system security extensions (DNSSEC) protocol — also known as KSK — which secures the Internet’s foundational servers.
Before removing KSK-2010 from the root zone altogether, ICANN will mark that key as revoked for all the resolvers that follow the ‘Automated Updates of DNSSEC Trust Anchors’ standard (RFC 5011). Any system that uses RFC 5011 will not trust that key in the future.
The revocation mark will be visible until 22 March 2019, after this date KSK-2010 will be completely removed from the root zone.