ICANN have announced the KSK Rollover, originally scheduled for October 2017, is now scheduled for October 2018, after a delay caused by fears one-in-4 internet users could have lost access to the internet.
In an announcement in early February, the global domain name overseer announced a public consultation will now take place as they believe have found a solution to the problems that prevented the Rollover occurring in October.
The changing or "rolling" of the KSK Key was originally delayed because some data obtained just a couple of weeks before the originally scheduled showed a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators were not yet ready for the Rollover. The availability of the new data was due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.
ICANN explained “there may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.”
ICANN then undertook to reach out to its community, including its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and others to help explore and resolve the issues.
Changing the key involves generating a new cryptographic key pair and distributing the new public component to the Domain Name System Security Extensions (DNSSEC)-validating resolvers. Based on the estimated number of Internet users who use DNSSEC validating resolvers, had the Rollover gone ahead last October the estimated one-in-4 global internet users that would have lost internet access would have meant 750 million people could have been affected by the Rollover.
ICANN has now opened a formal public comment period to receive community input on a draft plan to proceed with the KSK rollover project. This comment period will run until 1 April 2018. The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned), continuing extensive outreach to notify as many resolver operators as possible, and publishing more observations of the RFC 8145 trust anchor report data. Additional details are contained within the plan.
In addition, there will be a session at ICANN61 in Puerto Rico, to further discuss the plan and obtain additional feedback.
The draft plan follows ICANN’s posting in late December, in which ICANN announced next steps in the process to resume the root KSK rollover project. At the time ICANN described their efforts to track down the operators of DNS resolvers that were not ready for the rollover.
Using a protocol described in RFC 8145, these problematic resolvers had reported to the root servers a trust anchor configuration with only the current KSK (known as KSK-2010) and not the newer KSK (known as KSK-2017).
To read more on the plan and to comment, see the ICANN Public Comment announcement here.