Skip to main content

ICANN Publishes Comprehensive Guide on What to Expect During the Root KSK Rollover

LOS ANGELES – 22 August 2018 – As the ICANN Organization prepares, for the first time ever, to change the cryptographic keys that help protect the Internet's Domain Name System (DNS), the organization has published a guide to let people know what to expect.

The changing of the keys, known as the "Root Key Signing Key (KSK) Rollover", is currently scheduled for 11 October 2018. The new ICANN guide is intended for those with all levels of technical expertise. It will help everyone prepare for the rollover by detailing what to expect. It is part of the ICANN Organization's ongoing efforts to raise awareness of the rollover and will also afford details about the rollover process.

The guide can be accessed here [PDF, 107 KB]. Those who will find the guide most useful are operators of validating resolvers seeking clear direction on what to look for once the rollover occurs; non-technical journalists, bloggers and others who intend to write about the rollover before, during, and after the event will also benefit. Additionally, the document can be of value researchers who will be monitoring the DNS for indications of resolver failure after the rollover occurs.

While ICANN org expects user impact from the root KSK rollover to be minimal, a small percentage of Internet users are expected to see problems in resolving domain names, which in lay terms means they will have problems reaching their online destination. There are currently a small number of Domain Name System Security Extensions (DNSSEC) validating recursive resolvers that are misconfigured, and some of the users relying upon these resolvers may experience problems. This document describes which users are most likely to see problems, and among those - what types of issues they will face at various times. To summarize:

Those who will not be affected:

  • Users who rely on a resolver that has the new KSK
  • Users who rely on a resolver that does not perform DNSSEC validation

Those who will be affected and how:

  • If all of a users' resolvers do not have the new KSK in their trust anchor configuration, the user will start seeing name resolution failures (typically "server failure" or SERVFAIL errors) at some point within 48 hours of the rollover. NOTE: It is impossible to predict when the operators of affected resolvers will notice that validation is failing for them.

Data analysis suggests that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Users who use at least one resolver that is ready for the rollover will see no change in their use of the DNS or the Internet in general after the rollover. (The same is true for users whose resolvers do not perform DNSSEC validation at all. Current estimates are that about two-thirds of users are behind resolvers that do not yet perform DNSSEC validation.)

Lastly, while the rollover is currently planned to take place on 11 October 2018, this date is pending ratification by the ICANN Board.

##

To keep informed about KSK Rollover developments go here: https://www.icann.org/resources/pages/ksk-rollover

On social media use: #Keyroll

###

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique, so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."