The procedure for changing the domain name system’s top cryptographic key, which was scheduled for October 11, might get postponed. A KSK, or Key Signing Key, is the apex of the DNSSEC hierarchy. The DNSSEC protocol involves using two cryptographic keys, one per zone: the Zone Signing Key (ZSK) and the Key Signing Key. While the root ZSK is updated by ICANN and Verisign on a quarterly basis, the KSK has been in operation at the root since 2010, the year it was first signed.
At first, the so-called KSK rollover was scheduled for October 11, 2017. Then ICANN postponed it for a year, fearing that the rollover would affect millions of users, denying them access to DNSSEC-supporting domain names. Unfortunately, the delay did not make the matter any clearer. Today, there are about 8,000 resolver IP addresses that are likely to stop working properly after the rollover. This number, however, does not say much. Firstly, no one can count the total number of these resolvers’ end users. Secondly, the corporation only counted the resolvers that automatically report their status to the root using a relatively new internet standard. It is quite clear that the actual number of resolvers that do not report their status is different. Thirdly, ICANN had difficulty contacting every single network operator behind these resolvers, since many of them have changed their contact information, many times, in certain cases, too.
Today, ICANN believes that a total of 0.05% of internet users will have temporary access issues after the KSK rollover. That is about two million people, and the corporation is ready to take that risk. The fact is, the number of devices using the DNSSEC is constantly increasing; therefore, further delay will only result in more users that could possibly be affected by the rollover. Several days ago, ICANN’s Chief Technology Officer and Vice President David Conrad stated that the corporation does not see any reason to postpone the rollover once again. However, not everyone agrees with him. Domain Incite website reported on the meeting of ICANN’s Security and Stability Advisory Committee (SSAC). For what must have been the first time ever, its participants failed to reach a consensus. While 17 members opted for the rollover to be scheduled for October 11, five members opposed this idea, reflecting their opinions in the meeting’s minutes. They believe that carrying out the rollover within the previously established time limits would entail greater risks and could cause more damage than postponing it once again. The final decision on this issue is to be made by ICANN’s Board of Directors. It is expected to be made during a meeting in Brussels which will be held on September 14.
