What a load of cow pats
Having just completed a training course which covered DNSSEC, the Root Key Signing Keys are using algorithm 8 which RSA/SHA256 and is compatible with Bind 9.10.3 which is available for MintLinux and Ubuntu Mate for Raspberry Pi. The new KSK works just fine. After five years of giving training on DNSSEC, 99% of students who were familiar with DNS had never heard of DNSSEC (despite it being 16 years old).
For those unfamilar with DNSSEC at present there is a double Key Rollover, both the KSK and Zone Signing Key (ZSK) are rolling over to a new key.
dig @8.8.8.8 . dnskey +multiline
; <<>> DiG 9.10.6 <<>> @8.8.8.8 . dnskey +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5983
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 166290 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; KSK; alg = RSASHA256 ; key id = 19036
. 166290 IN DNSKEY 256 3 8 (
AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl
p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi
TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk
3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq
yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH
uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3
+pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA
jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=
) ; ZSK; alg = RSASHA256 ; key id = 15768
. 166290 IN DNSKEY 256 3 8 (
AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbs
aMqmMrIpd1+bP7nyULLuL8jWnKAqcaVfal2yJD50gg5z
Fl5yW/F9dKNXXEFI7VEcGrPyG6/OrA9RBU8pGWm0qxps
Nm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1ylsr4f1Y3R6
p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3b
sjveD1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAF
qVKhGbjxEyXAweem8cTU4L1p+DV7Ua11a1tMf0Tlu8pk
pLwh7NQIggIEhJwEhPeXE3E4C6Q2/PFENcoFERc=
) ; ZSK; alg = RSASHA256 ; key id = 46809
. 166290 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326
;; Query time: 9 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 29 19:51:13 BST 2017
;; MSG SIZE rcvd: 1128
DNSSEC is used to digitally sign DNS records by adding a RRSIG record which is cryptographically signed hash of a set of records within a Zone. So the NS records inside a Zone would have a single RRSIG to allow authentication and validation of all the NS records as if you query the NS records all will be returned.
In terms of handling the new KSK, if the DNS Server supports RFC5011 the KSK rollover is handled automatically BIND has support this for a couple of years. RFC7344 allows the automatic update of the Child Zone Delegated Signer Record using the CDS Record and CDNSKEY record both supported in Bind 9.11
Unfortunately many commercial DNS providers do not support RFC5011, nor do they support RFC7344.
The Root KSK should have been replaced in June 2015 under the contract ICANN operated under here we are seven years later and the its going to be delayed again.
Personally the root key change should not be delayed... A competent DNS Architect/Administrator should have planned for this two years ago.