Salvador Knight September 4, 2017

ICANN, the Internet oversight body has postponed their plans to change the cryptographic key which safeguards the global Domain Name System (DNS).It claims that some infrastructure operators just are not ready for the change.

To change the key, it involves generating a new cryptographic key pair as well as distributing the new public component to Domain Name System Security Extensions (DNSSEC) thus validating resolvers.

Newly obtained data, however, shows a significant number of resolvers used by various ISPs (Internet Service Providers) and network operators are definitely not yet ready. Potentially this could affect up to 750 million netizens.

The reasons why resolvers are not yet ready for the key rollover according to ICANN is that there multiple reasons including misconfigured resolver software. Its approach going forward is that it will reach out to its Security and Stability Advisory Committee called the Regional Internet Registries, to Network Operator Groups and all other stakeholders in an effort to try and fix the all the issues.

The president and CEO of ICANN, Göran Marby said, “the security, stability, and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October. “It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users.”

The “key signing key” (KSK) rollover was tentatively scheduled for October 11. However, it has now been postponed. It is hoped to be rescheduled for the first quarter of 2018 ICANN’s according to ICANN’s Chief Technology Officer. But that all depends on how easily the problem can be fixed.

Until this happens, it is suggested by Marby that network operators use the extra time to get their systems in order. A helpful diagnostic tool they can use is ICANN’s testing platform. This will help to ensure their resolvers are configured properly with the new key.

To make the internet more secure, the KSK rollover is part of a process and this process began back in May of 2016. A long time coming and yet, still not a reality.