DNSSEC Root KSK Rollover Oct 11

I have seen nothing from Cloudflare about the Oct 11 Rook KSK Rollover. Is there anything that we need to do if we are using DNSSEC on our Cloudflare hosted domains? The only article from Cloudflare I have found related to this is https://blog.Cloudflare.com/its-hard-to-change-the-keys-to-the-internet-and-it-involves-destroying-hsms/ and that is 7 months old.

1 Like

Nope, not at all.

Cloudflare may have their DNSSEC configuration properly set up for the rollover, but let’s say I have a commercial site domain using DNSSEC through Cloudflare and my customer, Bob, tries to visit my site on the 11th after the rollover but the DNS resolver that Bob uses (e.g. from the ISP that serves his home) is not compliant with the new KSK key.

Will Bob’s request to visit my site resolve in this case?

I’m not very familiar with this tech, but would it be possible to test by setting forward the clock?

If a resolver is misconfigured, it will totally stop working (except for queries that set the CD bit to disable DNSSEC validation) a while after the KSK rollover.

It won’t be able to resolve your secure domains.

It won’t be able to resolve your insecure domains.

It won’t be able to resolve anything else.


It seems it’s still on for the 11th at 1600UTC. It’s an interesting process for those that haven’t seen it and hoping there is a live stream again this year.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.