During a meeting held in Brussels, ICANN’s Board of Directors decided to hold the procedure for changing the DNS top cryptographic key on October 11, 2018, as was scheduled. This information was published on ICANN’s official website. The DNSSEC protocol involves using two cryptographic keys, one per zone: the Zone Signing Key (ZSK) and the Key Signing Key. While the root ZSK is updated on a quarterly basis, the KSK has been in operation at the root since 2010, the year it was first signed.
The KSK rollover was first planned for 2017, but ICANN postponed it for a year fearing that wrong DNS resolver configurations would affect millions of users, denying them internet access. Unfortunately, the delay did not make the matter any clearer. As reported earlier, ICANN’s Security and Stability Advisory Committee (SSAC) failed to reach a consensus over the rollover. While 17 members opted for it to be scheduled for October 11, five members insisted on rescheduling it again. As a result, ICANN’s Board of Directors supported the majority decision.
"Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the internet's users rely on those operators," said David Conrad, ICANN's Chief Technology Officer. "It’s almost certain there will be at least a few operators somewhere in the world who won't be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and re-enable DNSSEC and their users will again have full connectivity to the DNS."
Earlier, it was reported that ICANN research showed that the KSK rollover could cause temporary access issues for 0.05 percent of internet users, or about 2 million people.
