Historical Resolution Tracking Feature » Implementation of RSSAC 003 Recommendations for the KSK signature validity

Important note: The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.

Implementation of RSSAC 003 Recommendations for the KSK signature validity


Resolution of the ICANN Board
Meeting Date: 
Thu, 15 Sep 2016
Resolution Number: 
2016.09.15.01
Resolution Text: 

Whereas, on 16 September 2015, the ICANN Root Server System Advisory Committee (RSSAC) published RSSAC0003: Report on Root Zone TTLs.

Whereas, in RSSAC003, the report recommends that the Root Zone Management partners increase the signature validity periods for signatures generated by both the Key Signing Key (KSK) and the Zone Signing Key (ZSK). The report furthers recommends that the KSK signature validity should be increased to at least 21 days, ZSK signature validity should be increased to at least 13 days, and no further changes to Root Zone TTLs be made at this time.

Whereas, upon receiving RSSAC003, ICANN staff conducted a feasibility and cost analysis of increasing the KSK signature validity, and created an KSK implementation plan for review by the Board.

Whereas, the Board has considered the advice of the RSSAC in RSSAC003, in addition to the feasibility and costs of implementing the advice related to the KSK. The Board understands the Root Zone Maintainer is also considering the recommendations in RSSAC003 related to the ZSK.

Resolved (2016.09.15.01), the Board adopts the RSSAC advice for the KSK signature validity in RSSAC 003, and directs ICANN's President and CEO, or his designee, to proceed with implementing the KSK recommendations in RSSAC 003 in collaboration with the root zone management partners.

Rationale for Resolution: 

On 16 September 2015, the ICANN Root Server System Advisory Committee (RSSAC) published RSSAC0003: Report on Root Zone TTLs. In this report, the RSSAC studies the TTLs (DNS "Time-To-Live" values) for the root zone and the extent to which the current root zone TTLs are still appropriate for today's Internet environment.

The report identified two potential problems related to the interaction between the root zone Start of Authority (SOA) Expire value and the root zone's signature validity periods exist, and recommends them to be addressed by the DNS operations community. In particular, the RSSAC recommends Root Zone Management partners to increase the signature validity periods for signatures generated by both the Key Signing Key (KSK) and the Zone Signing Key (ZSK). KSK signature validity should be increased to at least 21 days. ZSK signature Validity should be increased to at least 13 days.

The conditions under which the signature validity problems occur are very rare, have not occurred to date, and are unlikely to affect end users at this time. Thus, the RSSAC believes this issue is not urgent and should be addressed within a reasonable amount of time following an update of the necessary procedures documents and software testing.

Upon receiving RSSAC003, ICANN staff conducted a feasibility and cost analysis for implementing the KSK recommendation in RSSAC003, and created a KSK implementation plan with timelines and high-level milestone for review by the Board.

The Board has considered the advice of the RSSAC in RSSAC003, in addition to the feasibility and costs of implementing the advice related to the KSK and adopts the RSSAC advice for the KSK signature validity in RSSAC 003. The Board also directs ICANN to proceed with implementing the KSK recommendations in RSSAC 003 in collaboration with the root zone management partners.

This is an operational issue that does not require public comment. There is no fiscal impact expected. The approval and implementation of the RSSAC recommendation will improve the security, stability, and resiliency of the domain name system.

The Board understands that NTIA has already agreed with Verisign, as the Root Zone Maintainer, that Verisign should change the signature validity period for the ZSK, and that work is scheduled to take place in September 2016.