First-ever DNSSEC root key rollover

This was supposed to have happened a year ago (I think almost to the day?), but was aborted roughly a week before because nobody was confident the system would survive. Apparently it did this time!<p>An unfortunate attribute of DNSSEC: nothing depends on it, to the extent that you could almost certainly post the root private keys on Pastebin and not cause a single mainstream site a problem. At the same time, <i>if you screw the deployment of DNSSEC up</i>, sites vanish off the Internet, like HBO Now did, on Comcast, the week of its debut.<p>Here&#x27;s a fun exercise. In the thread below, someone brought up <a href="https:&#x2F;&#x2F;dnssec-name-and-shame.com" rel="nofollow">https:&#x2F;&#x2F;dnssec-name-and-shame.com</a> (warning: makes annoying noises). Try to find the largest commercial site on the Internet you can that has adopted DNSSEC. Try, for instance, tech giants, or national banks and financial institutions. (Do you want me to spoil this for you?)<p>Ultimately, this key rollover is sort of interesting in a network nerdery kind of way, but it is no practical importance to anyone, because, after almost 3 decades of attempts, DNSSEC is over; stick a fork in it.

What is the purpose of rolling over the key, if the new key is simply signed by the old one? Meaning it has exactly as much security as the old key did.<p>I can understand it if the new key was a different algorithm, or key-length or something. But what is the purpose in simply picking a new key?

I have a DNSSEC signed zone, do I need to do anything? Like generate a new key using this new root key?

But when will it be supported in Route53?

To check DNSSEC:<p><a href="https:&#x2F;&#x2F;dnssec-name-and-shame.com" rel="nofollow">https:&#x2F;&#x2F;dnssec-name-and-shame.com</a><p>To check DANE (such as freebsd.org port 443):<p><a href="https:&#x2F;&#x2F;www.huque.com&#x2F;bin&#x2F;danecheck" rel="nofollow">https:&#x2F;&#x2F;www.huque.com&#x2F;bin&#x2F;danecheck</a>