APNIC measures adoption of KSK-2024 as the DNS root DNSSEC trust anchor ahead of the planned October 2026 KSK rollover from KSK-2017.
Key Takeaways
KSK-2024 was published by IANA in July 2024 and added to the root zone DNSKEY RR in January 2025; the active rollover from KSK-2017 happens October 2026.
By March 2025, ~90% of RFC 8145 reporting resolvers had added KSK-2024 to their trust anchor set, but that count excludes non-reporting resolvers and says nothing about end-user population coverage.
RFC 8509 Key Sentinel queries via APNIC’s ad-based measurement flip the signal toward end users, measuring the share of users behind DNSSEC-validating resolvers that have NOT yet loaded KSK-2024.
~0.5% of resolvers still trusted the revoked KSK-2010 as of March 2025, likely from stale OS software bundles – a concrete warning about TA hygiene at long key lifetimes.
Root KSK lifetimes of ~8 years are long enough to warrant post-quantum planning; most DNSSEC keys rotate in months, but the root KSK has no upper-layer mechanism to force rapid rollover.
