Home / News I have a News Tip

ICANN Delays Plans to Change DNS Cryptographic Key, Says Near 750 Million People at Risk if Rushed

The Internet Corporation for Assigned Names and Numbers (ICANN) has postponed plans to change the cryptographic key — a critical step in updating protection measures for the Domain Name System (DNS). In its report issued Thursday evening, ICANN said an "an estimated one-in-four global Internet users, or 750 million people, could be affected by the KSK rollover. ... The changing or 'rolling' of the KSK Key was originally scheduled to occur on 11 October, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured." A new date for the Key Roll has not yet been determined, but the organization says it is aiming at rescheduling the Key Roll for the first quarter of 2018.

Update Oct 4, 2017: ICANN's VP of Research, Matt Larson, posted a blog today regarding the factors behind the KSK rolloever delay – "The Story Behind ICANN’s Decision to Delay the KSK Rollover": "I would like to provide some additional details about what went into our decision to delay the roll. You might say it's the story behind the story. Historically, there has been no way to determine which trust anchors DNS Security Extensions (DNSSEC) validators have been configured, making it difficult to assess the potential impact of the root KSK rollover. But that recently changed and we received some new data that we simply could not ignore."

Follow CircleID on
Related topics: DNS, DNS Security, ICANN

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Great Andrew Gardner  –  Sep 28, 2017 1:48 PM PST

Mozilla and Google will love this - another reason for them to refuse to bake DANE into their browsers.

Lets not turn this into a mess ! Ken Stubbs  –  Sep 29, 2017 6:50 AM PST

Frankly, this is embarrassing !

Why are we not ready to pull the trigger ?

Is it because we haven't done an effective job of communicating the sense of urgency to the right parties here ?

Is it because the resolvers are ambivalent ?

These are questions that need honest answers REAL SOON !

To post comments, please login or create an account.




Sponsored byWhoisXML API


Sponsored byVerisign

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC


Sponsored byThreat Intelligence Platform

Brand Protection

Sponsored byAppDetex

New TLDs

Sponsored byAfilias