Skip to main content
Resources

News Release: Board Approval of KSK Roll

This page is available in:

LOS ANGELES – 18 September 2018 –The Board of Directors for the Internet Corporation of Assigned Names and Numbers (ICANN) has approved plans for the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) - the Internet's address book.

During a 16 September meeting in Belgium, the ICANN Board passed a resolution, directing the organization to proceed with its plans to change or "roll" the key for the DNS root on 11 October 2018. It will mark the first time the key has been changed since it was first put in use in 2010.

"This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN's mission, which is to ensure a secure, stable and resilient DNS" said ICANN Board Chair Cherine Chalaby. "There is no way of completely assuring that every network operator will have their 'resolvers' properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone."

Some Internet users might be affected if the network operators or Internet Service Providers (ISPs) have not prepared for the roll. Those operators who have enabled the checking of Domain Name System Security Extensions or DNSSEC information (a set of security protocols used to ensure DNS information isn't accidentally or maliciously corrupted) are those who need to be certain they are ready for the roll.

"Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the Internet's users rely on those operators," said David Conrad, ICANN's Chief Technology Officer. "It is almost certain there will be at least a few operators somewhere across the globe who won't be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS."

The changing of the DNS root key was originally scheduled to happen a year ago, but plans were put on hold after the ICANN organization found and began analyzing some new, last-minute data. That data dealt with the potential readiness of network operators for the key roll.

An analysis ultimately led the organization to believe it could safely proceed with the changing of the key. As a result, the organization, after consultation with the community, developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. In the intervening time, the organization has continued extensive outreach and investigations on how to best mitigate risks associated with the key change.

The ICANN Board, during its 16 September meeting, passed a resolution (https://www.icann.org/resources/board-material/resolutions-2018-09-16-en) approving the plan, and with that, the ICANN org has set in motion its plans to change key at 4PM UTC on 11 October 2018.

"This is the first root key change, but it won't be the last," said Matt Larson, Vice President of Research at ICANN and the organization's point person for the key roll. "This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible, but as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice."

The primary source for information about the rollover is: http://www.icann.org/kskroll

Subscribe to the rollover discussion mailing list: https://mm.icann.org/listinfo/ksk-rollover

On social media use: #Keyroll

###

Media Contacts

ICANN
Brad White
Director of Communications, North America.
Mobile: +1.301.365.3571
Email: brad.white@icann.org

ICANN
Alexandra Dans
Senior Manager of Communications, Latin America and the Caribbean
Mobile : +598 95 831 442
Email : alexandra.dans@icann.org

About ICANN

ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

A note about our terms of service:

We have updated our electronic terms of service to provide greater transparency and align with laws applicable to us. Learn more.

This site uses cookies to deliver an efficient user experience and to help us see how the site is used. Learn more.OK

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."