ICANN Publishes Comprehensive Guide on What to Expect During the Root KSK Rollover
LOS ANGELES – 22 August 2018 – As the ICANN Organization prepares, for the first time ever, to change the cryptographic keys that help protect the Internet's Domain Name System (DNS), the organization has published a guide to let people know what to expect.
The changing of the keys, known as the "Root Key Signing Key (KSK) Rollover", is currently scheduled for 11 October 2018. The new ICANN guide is intended for those with all levels of technical expertise. It will help everyone prepare for the rollover by detailing what to expect. It is part of the ICANN Organization's ongoing efforts to raise awareness of the rollover and will also afford details about the rollover process.
The guide can be accessed here [PDF, 107 KB]. Those who will find the guide most useful are operators of validating resolvers seeking clear direction on what to look for once the rollover occurs; non-technical journalists, bloggers and others who intend to write about the rollover before, during, and after the event will also benefit. Additionally, the document can be of value researchers who will be monitoring the DNS for indications of resolver failure after the rollover occurs.
While ICANN org expects user impact from the root KSK rollover to be minimal, a small percentage of Internet users are expected to see problems in resolving domain names, which in lay terms means they will have problems reaching their online destination. There are currently a small number of Domain Name System Security Extensions (DNSSEC) validating recursive resolvers that are misconfigured, and some of the users relying upon these resolvers may experience problems. This document describes which users are most likely to see problems, and among those - what types of issues they will face at various times. To summarize:
Those who will not be affected:
- Users who rely on a resolver that has the new KSK
- Users who rely on a resolver that does not perform DNSSEC validation
Those who will be affected and how:
- If all of a users' resolvers do not have the new KSK in their trust anchor configuration, the user will start seeing name resolution failures (typically "server failure" or SERVFAIL errors) at some point within 48 hours of the rollover. NOTE: It is impossible to predict when the operators of affected resolvers will notice that validation is failing for them.
Data analysis suggests that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Users who use at least one resolver that is ready for the rollover will see no change in their use of the DNS or the Internet in general after the rollover. (The same is true for users whose resolvers do not perform DNSSEC validation at all. Current estimates are that about two-thirds of users are behind resolvers that do not yet perform DNSSEC validation.)
Lastly, while the rollover is currently planned to take place on 11 October 2018, this date is pending ratification by the ICANN Board.
To keep informed about KSK Rollover developments go here: https://www.icann.org/resources/pages/ksk-rollover
On social media use: #Keyroll
ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique, so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.