ICANN, the now internationalized "manager" of the Internet has announced a "security update" and they note:
ICANN is planning to perform a Root Zone Domain Name System Security Extensions (DNSSEC) KSK rollover as required in the Root Zone KSK Operator DNSSEC Practice Statement.
Rolling the KSK means generating a new cryptographic public and
private key pair and distributing the new public component to parties
who operate validating resolvers, including: Internet Service Providers;
enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS
resolver software developers; system integrators; and hardware and
software distributors who install or ship the root's "trust anchor." The
KSK is used to cryptographically sign the Zone Signing Key (ZSK), which
is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet's DNS.
Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve any DNS queries.
The KSK rollover plans were developed by the Root Zone Management Partners; ICANN in its role as the IANA Functions Operator, Verisign as the Root Zone Maintainer, and the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) as the Root Zone Administrator. The role of NTIA ended on 1 October 2016. The KSK rollover plans were posted in July 2016 and incorporate the community Root Zone KSK Rollover
What this means in simple English is that you better pray your ISP or IT Folks have done what ICANN says and that further ICANN knows what it is doing. Certificate management and DNS updating is NOT TRIVIAL. There will be mistakes. There will be crashes.
And then you can try the US Post Office again. Horrors! Poor Ben Franklin, a good idea but sent to the Government employees, worse, an "international" body.