David Goldstein - ICANN Successfully Has Successful KSK Rollover


    No, it’s not an ICANN picnic or party. It’s an important element in keeping the internet safe. In mid-October ICANN successfully rolled the cryptographic key that helps protect the Domain Name System (DNS), the first time such a procedure had taken place since it was put in use in 2010.

    The roll of the Key Signing Key (KSK) that took place in October has been determined to be a success by ICANN and an international collaborative project that included SIDN Labs who carefully monitored the rollover. They found the most important result was that “the rollover was a success”. They further noted they “did not observe any major deviations during the rollover or in the following 48 hours” and “other sources also reported no significant issues”.

    “There were far fewer Internet users negatively affected by the change (called a rollover) than anyone expected,” wrote Paul Hoffman, Principal Technologist, Office of the CTO, ICANN on the ICANN blog. “There are a few more things that need to be done for the rollover process to be considered complete, but the main task went off without a hitch.”

    “This successful exercise of the infrastructure necessary to roll the root zone’s key has demonstrated it is possible to update the key globally,” said David Conrad, ICANN’s Chief Technology Officer. “It also provided important insights that will help us with future key rolls.”

    The KSK Rollover was originally scheduled to happen in October 2017 but was delayed just a couple of weeks before the scheduled date, then in December it was scheduled for the first quarter of 2018 and then delayed once more.

    The delays in the Rollover occurred because of fears that as many as one in 4 internet users could have lost internet access. The changing or “rolling” of the KSK Key was originally delayed because some data obtained just a couple of weeks before the originally scheduled showed that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators were not yet ready for the Key Rollover. The availability of the new data was due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

    Looking forward there are still a few steps to undertake. First, ICANN explains, the old key needs to be formally revoked. On 11 January 2019, the old key, which has continued to be published in the root zone, will be changed to indicate it's no longer valid and that resolvers should delete it from their configurations. Soon after that, ICANN will publish an extensive white paper covering the entire rollover process, including lessons learned from the effort. Then, ICANN's many communities will start to discuss what they want to see from future rollovers including how often they should happen.

    On frequency, Geoff Huston in his Potaroo blog writes “there is much to be said for performing this roll annually, if only to promote the use of automated DNS resolver tools that track the KSK state without the need for manual intervention. However, regularly rolling the KSK achieves little in and of itself. We now should look at further measures for the root zone KSK.”