ICANN’s October 2026 DNS Trust Anchor Rollover: What UK Businesses Need to Know

On 20 May 2026, ICANN announced that the Domain Name System will undergo a major cryptographic update on 11 October 2026. The update, known as the Key Signing Key (KSK) rollover, is one of the most significant maintenance events on the internet’s underlying security infrastructure. Most users will never notice, but some business websites and email systems will simply stop working unless the people running them do a small amount of preparation between now and the autumn. This article explains, in plain English, what the rollover is, who is affected and what you should ask your IT team, hosting provider or WordPress development partner to confirm before the deadline.

What is changing on 11 October 2026

The DNS, or Domain Name System, is what turns a name like prioritypixels.co.uk into a numerical IP address your browser can connect to. DNSSEC is the layer of security that proves the answer your computer received is genuine and has not been tampered with by an attacker on the network.

At the root of the DNSSEC system sits a single cryptographic key, known as the root zone Key Signing Key. This key is the ultimate trust anchor for everything else. Every DNSSEC-validating resolver on the internet has a copy of this key built in, and uses it to verify that every other key on the DNSSEC chain is legitimate. ICANN is replacing this key in October 2026.

The new key has been published since January 2025 and has been visible in the DNS for around eighteen months. October 2026 is when it starts being used to sign the root zone. The old key is then retired in January 2027.

Why most people will not notice

Quoted by Security Brief UK following the announcement, ICANN was clear that most internet users will not notice any direct change. For the vast majority of UK businesses using a modern, well-maintained DNS service, the rollover is invisible. The major public DNS resolvers run by Google, Cloudflare and Quad9, as well as the resolvers used by most UK internet service providers, have automated trust anchor update mechanisms (defined in RFC 5011) that have already picked up the new key and will switch over automatically.

Verisign, one of the organisations that operates the root server infrastructure, has been publishing observations on the rollout. In a blog post on initial observations, Verisign described the staged approach as deliberately conservative, designed so that the wider internet ecosystem has time to adopt the new trust anchor without anyone needing to make a synchronised switch.

Who needs to take action

The risk is not for end users. It is for operators of validating recursive resolvers, which means:

• In-house IT teams running their own DNS infrastructure for internal use
• Hosting providers and ISPs running DNS resolvers for customer traffic
• Software vendors whose products bundle a hardcoded list of DNSSEC trust anchors
• Anyone with an old DNS resolver that has not been updated in several years, particularly anything manually configured with a fixed trust anchor rather than relying on automatic updates

ICANN’s release flags this directly. Operators with manually configured trust anchors or older software are the most exposed. If a resolver does not learn about the new key in time, it will lose the ability to validate DNS responses after the October 2026 cutover, and any DNSSEC-signed domain (which is a large and growing share of the internet) will appear broken from that resolver’s perspective.

In practice, this means an end user’s web browser or email client will see DNS resolution failures. Websites will appear to be down. Email will bounce. The fault sits with the resolver, not the affected domain.

What can break, in practical terms

Risk profile depends almost entirely on how much of your DNS stack you have built yourself versus how much you rent. For businesses outsourcing to a major hosting provider or cloud DNS service, the practical risk is essentially zero, because the provider has already done the trust anchor work on your behalf. For businesses running anything in-house, the picture is more nuanced and worth a closer look.

If you run a UK business and your IT setup has not been touched in a while, the failure modes worth considering are:

1. Old on-premise DNS servers with hard-coded DNSSEC keys, particularly older Windows Server installations that have not been brought up to current patch levels
2. Embedded systems or network appliances with built-in DNS resolution and no automatic trust anchor update
3. Custom-built infrastructure where someone, somewhere, deliberately set a static trust anchor and is no longer at the company to remember they did so
4. Software products with bundled DNSSEC libraries that have not been updated since before 2024

For the average small or mid-sized UK business using modern cloud-hosted DNS (Cloudflare, AWS Route 53, Google Cloud DNS or similar), there is no realistic risk. For larger organisations with self-hosted or hybrid DNS infrastructure, this is a real audit item for the next four months and one that sits alongside other items on any good technical SEO and infrastructure review. If your WordPress build sits on managed WordPress hosting, your provider is almost certainly already handling this.

What to check before October 2026

A simple checklist for any business reading this and uncertain whether they are exposed:

Running through these five items takes a competent IT team a couple of hours and gives you a clear answer about your level of exposure. If you are, the remediation is usually straightforward. The hard part is knowing to look in the first place.

The bigger picture

The KSK rollover is one of those quiet pieces of internet maintenance that most businesses will rightly ignore, because it has been engineered to be ignorable. But for the small share of operators who do need to act, the consequences of not acting are not theoretical. DNS resolution failures take websites and email offline in ways that look indistinguishable from genuine outages, and the people responsible spend hours diagnosing the wrong thing because the root cause is a cryptographic key change they were never told about.

If you run a UK business and you are not sure who owns your DNS infrastructure, or how it would behave through October’s rollover, now is the time to find out. The window between now and the cutover is generous and the work involved is small, but it does not happen on its own. If you would like a hand auditing your own setup, our WordPress support and infrastructure team can walk through it with you.