ICANN has announced a change to the Domain Name System trust anchor, with the update scheduled for October 2026.
The change affects the cryptographic key known as the DNS Security Extensions root zone Key Signing Key, or KSK, which sits at the centre of the system used to verify DNS data.
The rollover is part of maintaining the security of the global Domain Name System, the infrastructure that directs internet users to websites and online services. ICANN manages the DNS root zone through its Internet Assigned Numbers Authority functions and is coordinating the update with partners across the internet community.
DNSSEC is designed to help ensure DNS responses are authentic and have not been altered in transit. The trust anchor is the reference point software uses to validate those responses, so replacing the key has operational consequences for providers that run validating DNS systems.
Most internet users are not expected to notice any direct change. The main operational burden falls on operators of validating recursive resolvers, including internet service providers, businesses and other organisations whose systems look up and verify DNS information on behalf of users.
Operators have been given a long preparation window. The phased implementation began in 2024 and will conclude in 2027, with both the current and new KSK remaining valid during the transition. Under that timetable, the new key will begin signing the root zone in October 2026, while the current key is due to be retired in January 2027.
The overlap is intended to reduce the risk of disruption by giving operators time to update systems and check that automatic trust anchor update processes are working correctly. Organisations that rely on manually configured trust anchors or older software should review their setups carefully.
If those systems are not updated in time, DNS resolution failures could follow after the rollover. Affected users may struggle to reach websites or online services because their systems would no longer trust the signatures used to validate DNS data from the root zone.
The move marks another step in a process closely watched by the technical community because the DNS root sits at the top of the internet's naming hierarchy. Changes to the root trust anchor are rare and require planning across software vendors, network operators and infrastructure providers whose systems depend on the integrity of DNSSEC validation.
Kim Davies, Vice President, Internet Assigned Numbers Authority Services and President of Public Technical Identifiers, outlined the purpose of the update and the need for operators to prepare.
"The trust anchor rollover is a carefully coordinated process that helps safeguard the integrity of the DNS," said Kim Davies, Vice President, Internet Assigned Numbers Authority Services and President of Public Technical Identifiers.
He also stressed the need for system checks before the transition takes effect.
"While most internet users will not notice any change, operators of DNS software should confirm that their systems are properly configured to trust the new key ahead of the rollover," Davies said.
ICANN was formed in 1998 and oversees parts of the internet's system of unique identifiers, including the coordination of domain names and numbering resources. Within that remit, the DNS root zone is one of the most sensitive areas because it underpins the naming system used globally to locate online resources.
The KSK is not a public-facing feature of the internet, but it plays a central role in DNSSEC's chain of trust. By signing the root zone's key material, it allows validating resolvers to confirm that lower-level DNS information can be trusted. Replacing it periodically is part of standard cryptographic hygiene, particularly because long-lived keys can pose greater security risks over time.
For operators, the issue is less about internet governance in theory than the practical need to ensure resolver software recognises the incoming trust anchor. Organisations with older configurations, or those that rely on manual intervention rather than automated updates, face the greatest risk of service issues if they fail to act before the current key is withdrawn.
The timetable also gives software and infrastructure teams time to test for compatibility problems across networks where DNS validation is active. In large organisations, that can involve checks of resolver fleets, internal DNS infrastructure and external-facing services that depend on uninterrupted name resolution.
The new KSK will be published well in advance so affected operators can complete those checks before the rollover takes place. The old key is due to be retired in January 2027.