In late April 2025, the 57th DNS root signing ceremony took place at the US East Coast facility. Pia Gruvö, Ondřej Filip, Nomsa Mwayenga, and I attended as Cryptographic Officers.

This occasion was a standard ZSK signing process. The signed ZSK will be published in the third and fourth quarters of this year. We also continued the pre-publication of the new KSK. It’s important to remember that since we are in the middle of the KSK rollover process, we need to be careful to consider various scenarios, including emergency cases like the potential withdrawal of the new KSK. However, everything looks good for now. A study conducted by Duane Wessels of Verisign clearly shows that 90% of resolvers have adopted the new key after the one-month waiting period since it appeared in the root keyset in February 2025.

Graph of the percentage of resolvers seeing each KSK (image taken from the study The 2024-2026 Root Zone KSK Rollover: Initial Observations and Early Trends )

During ceremony 57, a new version of the operating system and control tools for the HSMs, called coen v2.0.1, was used.

Again, it was an impeccable ceremony. Since I became a CO two years ago, it’s the first ceremony without any exceptions to the script!

In the DNS root keyset, we should have two KSKs (the current 20326 and the new 38696), the ZSK 53148 and its future replacement 46441 which will appear at the end of June; all signed by the current KSK 20326.

I wanted to take the opportunity to tell you that during the last LACNIC43 conference held in Sao Paulo, Brazil; I gave a presentation during the Technical Forum on the KSK key rollover, focused on ISP operators and companies that operate DNS resolvers, so that they are aware of the definitive moment in October 2026, and check their systems to verify that they already have the new KSK (both through automatic rollover via RFC5011, and through updates to their operating systems or DNS software). I took the opportunity to present a tool (in Beta state) that allows checking if your DNS provider is already prepared, using the sentinel technique from RFC8509, available at https://test.kskroll.vulcano.cl/

You can watch the video of the presentation on the LACNIC channel with simultaneous translation into English, Portuguese or the original in Spanish. The slides are here (PDF 820KB, in spanish).


Next post: Ceremonia 57 de firma de la raíz del DNS

Previous post: DNS Root Signing Ceremony 55