It was originally scheduled to happen in October 2017 but delayed just a couple of weeks before the scheduled date, then in December it was scheduled for the first quarter of 2018 and then delayed once more. Now ICANN has announced the KSK Rollover will happen in October 2018.
The delays in the Rollover have occurred because of fears that as many as one in 4 internet users could have lost internet access. The changing or “rolling” of the KSK Key was originally delayed because some data obtained just a couple of weeks before the originally scheduled showed that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators were not yet ready for the Key Rollover. The availability of the new data was due to a very recent DNS protocol feature that adds the ability for a resolver to report back to the root servers which keys it has configured.
ICANN explained “there may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.”
ICANN then undertook to reach out to its community, including its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and others to help explore and resolve the issues.
Changing the key involves generating a new cryptographic key pair and distributing the new public component to the Domain Name System Security Extensions (DNSSEC)-validating resolvers. Based on the estimated number of Internet users who use DNSSEC validating resolvers, had the Rollover gone ahead last October the estimated one-in-4 global internet users would have meant 750 million people could have been affected by the KSK rollover losing internet access.
ICANN has now opened a formal public comment period to receive community input on a draft plan to proceed with the KSK rollover project. This comment period will run until 1 April 2018.
The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned), continuing extensive outreach to notify as many resolver operators as possible, and publishing more observations of the RFC 8145 trust anchor report data. Additional details are contained within the plan.
In addition, there will be a session at ICANN61 in Puerto Rico, to further discuss the plan and obtain additional feedback.
The draft plan follows ICANN’s posting in late December, in which ICANN announced next steps in the process to resume the root KSK rollover project. At the time ICANN described their efforts to track down the operators of DNS resolvers that were not ready for the rollover.
Using a protocol described in RFC 8145, these problematic resolvers had reported to the root servers a trust anchor configuration with only the current KSK (known as KSK-2010) and not the newer KSK (known as KSK-2017).