David Goldstein - ICANN Postpones KSK Rollover Due to Fears Tens of Millions Would Lose Internet Access


    The importance of the security of the Domain Name System goes without saying. And recently ICANN was forced to delay what’s referred to as the KSK Rollover in October due to a glitch that could have impacted one-in-four internet users around the globe and seen tens of millions lose internet access. The KSK Rollover involves changing the cryptographic key that helps protect the DNS and keep the internet safe.

    The changing of the key, ICANN explains, “involves generating a new cryptographic key pair and distributing the new public component to the Domain Name System Security Extensions (DNSSEC)-validating resolvers.” From these resolvers, internet users are then directed to their requested website. All this happens quicker than a blink of the eye.

    When the internet was developed, security was not a consideration. But it has become a hugely important issue and DNSSEC was developed as a security protocol to address critical security shortcomings of the DNS. When a domain name is DNSSEC-enabled, internet users can be certain that when they visit the website they can be sure they’re visiting a legitimate website, and not one set up by criminals.

    The changing or "rolling" of the KSK Key was originally scheduled to occur on 11 October, but was delayed following research initially by Verisign and later confirmed by ICANN that showed a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators was not yet ready. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

    ICANN estimated that 750 million people, or one-in-four internet users, would have been impacted by the KSK Rollover based on the estimated number of internet users who use DNSSEC validating resolvers. And of these, around 60 million could have lost internet access had the Rollover gone ahead.

    There may be multiple reasons why operators don’t have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

    Looking ahead ICANN is hoping to have a new date for the KSK Rollover soon, with the first quarter of 2018 being targeted but that, ICANN explains, is dependent on more fully understanding the new information and mitigating as many potential failures as possible.