ICANN, the overseer of the Internet’s namespace, announced this week that it was postponing a scheduled change to the cryptographic key that protects the Domain Name System.
ICANN said in a statement that the change was to occur on Oct. 11, but new data indicates that a “significant number” of resolvers used by ISPs and large network operators are not ready. ICANN hopes to reschedule the rollover to the first quarter of next year.
“There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored,” ICANN said.
The key signing key (KSK) rollover, as it’s known, requires the generation of a new cryptographic key pair and distribution of the public key to DNSSEC resolvers. ICANN said the rollover would affect 750 million people.
“The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October,” said ICANN CEO and president Göran Marby. “It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users.”
ICANN advises that network operators and ISPs ensure their systems are ready for the new rollover data, and to make use of its testing platform to ensure resolvers are properly configured.
In the meantime, the ICANN is exploring a resolution to the current issues via its Security and Stability Advisory Committee, the Regional Internet Registries and Network Operator groups.