It’s Hard To Change The Keys To The Internet And It Involves Destroying HSM’s

The Domain Name System (DNS) tree has been using DNSSEC to protect the zone content since 2010, providing cryptographic signatures alongside DNS records that can be validated. The root zone is signed with a 2048 bit RSA “Trust Anchor” key, which is used to establish the Chain of trust in the public DNS at the moment. However, rolling the Key Signing Key (KSK) has never been attempted due to its potential impact on the internet's functioning. The KSK rollover process involves generating a new key and updating every part of DNS infrastructure that needs it, retiring the old one completely. This is considered a risky operation as if it goes wrong, it could leave the root zone signing invalid, meaning a large part of the internet would not trust any of the content, effectively knocking DNS offline for validating resolvers. The KSK rollover process has been postponed due to issues with some implementations failing to pick up the new Trust Anchor.