ICANN Approves Plans To Change DNS’s Cryptographic Keys For First Time

After 2 delays, ICANN is now set to change of the cryptographic key that helps protect the Domain Name System (DNS) – the Internet's address book – on 11 October. During a 16 September meeting in Belgium, the ICANN Board passed a resolution, with a minority dissent, directing to proceed with plans to change or “roll” the key for the DNS root. It will mark the first time the key has been changed since it was first put in use in 2010.

“This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN's mission, which is to ensure a secure, stable and resilient DNS” said ICANN Board Chair Cherine Chalaby. “There is no way of completely assuring that every network operator will have their 'resolvers' properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone.”

The rolling of the key was originally delayed because some data obtained in December 2017 showed that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover. The availability of this new data is due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.

As explained at the time, there may have been multiple reasons why operators did not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

During the changing of the key, ICANN advises that some Internet users might be affected if the network operators or Internet Service Providers (ISPs) have not prepared for the roll. Those operators who have enabled the checking of Domain Name System Security Extensions or DNSSEC information (a set of security protocols used to ensure DNS information isn't accidentally or maliciously corrupted) are those who need to be certain they are ready for the roll.

“Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the Internet's users rely on those operators,” said David Conrad, ICANN's Chief Technology Officer. “It is almost certain there will be at least a few operators somewhere across the globe who won't be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS.”

An analysis ultimately led ICANN to believe it could safely proceed with the changing of the key. As a result, after consultation with the community, ICANN developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. In the intervening time, ICANN has continued extensive outreach and investigations on how to best mitigate risks associated with the key change.