LOS ANGELES – As
the ICANN Organization prepares, for the first time ever, to change the
cryptographic keys that help protect the Internet's Domain Name System (DNS),
the organization has published a guide to let people know what to expect.
The changing of the keys, known
as the "Root Key Signing Key (KSK) Rollover", is currently scheduled
for October 11, 2018. The new ICANN guide is intended for those with all levels
of technical expertise. It will help everyone prepare for the rollover by
detailing what to expect. It is part of the ICANN Organization's ongoing
efforts to raise awareness of the rollover and will also afford details about
the rollover process.
Those who will find the guide most useful are operators of
validating resolvers seeking clear direction on what to look for once the
rollover occurs; non-technical journalists, bloggers and others who intend to
write about the rollover before, during, and after the event will also benefit.
Additionally, the document can be of value researchers who will be monitoring
the DNS for indications of resolver failure after the rollover occurs.
While ICANN org expects user
impact from the root KSK rollover to be minimal, a small percentage of Internet
users are expected to see problems in resolving domain names, which in lay
terms means they will have problems reaching their online destination. There
are currently a small number of Domain Name System Security Extensions (DNSSEC)
validating recursive resolvers that are misconfigured, and some of the users
relying upon these resolvers may experience problems. This document describes
which users are most likely to see problems, and among those - what types of
issues they will face at various times. To summarize:
Those who will not be affected:
Users who rely on a resolver that
has the new KSK
Users who rely on a resolver that
does not perform DNSSEC validation
Those who will be affected and
how:
If all of a users' resolvers do
not have the new KSK in their trust anchor configuration, the user will start
seeing name resolution failures (typically "server failure" or
SERVFAIL errors) at some point within 48 hours of the rollover. NOTE: It is
impossible to predict when the operators of affected resolvers will notice that
validation is failing for them.
Data analysis suggests that more
than 99% of users whose resolvers are validating will be unaffected by the KSK
rollover. Users who use at least one resolver that is ready for the rollover
will see no change in their use of the DNS or the Internet in general after the
rollover. (The same is true for users whose resolvers do not perform DNSSEC
validation at all. Current estimates are that about two-thirds of users are
behind resolvers that do not yet perform DNSSEC validation.)
Lastly, while the rollover is
currently planned to take place on 11 October 2018, this date is pending
ratification by the ICANN Board.