The Only Specialized Global Intellectual Property News Agency
A Member of Talal Abu-Ghazaleh Global

ICANN Publishes Comprehensive Guide on What to Expect During the Root KSK Rollover

26-Aug-2018 | Source : ICCAN | Visits : 4794

LOS ANGELES – As the ICANN Organization prepares, for the first time ever, to change the cryptographic keys that help protect the Internet's Domain Name System (DNS), the organization has published a guide to let people know what to expect.

The changing of the keys, known as the "Root Key Signing Key (KSK) Rollover", is currently scheduled for October 11, 2018. The new ICANN guide is intended for those with all levels of technical expertise. It will help everyone prepare for the rollover by detailing what to expect. It is part of the ICANN Organization's ongoing efforts to raise awareness of the rollover and will also afford details about the rollover process.

Those who will find the guide most useful are operators of validating resolvers seeking clear direction on what to look for once the rollover occurs; non-technical journalists, bloggers and others who intend to write about the rollover before, during, and after the event will also benefit. Additionally, the document can be of value researchers who will be monitoring the DNS for indications of resolver failure after the rollover occurs.

While ICANN org expects user impact from the root KSK rollover to be minimal, a small percentage of Internet users are expected to see problems in resolving domain names, which in lay terms means they will have problems reaching their online destination. There are currently a small number of Domain Name System Security Extensions (DNSSEC) validating recursive resolvers that are misconfigured, and some of the users relying upon these resolvers may experience problems. This document describes which users are most likely to see problems, and among those - what types of issues they will face at various times. To summarize:

Those who will not be affected:

Users who rely on a resolver that has the new KSK

Users who rely on a resolver that does not perform DNSSEC validation

Those who will be affected and how:

If all of a users' resolvers do not have the new KSK in their trust anchor configuration, the user will start seeing name resolution failures (typically "server failure" or SERVFAIL errors) at some point within 48 hours of the rollover. NOTE: It is impossible to predict when the operators of affected resolvers will notice that validation is failing for them.

Data analysis suggests that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Users who use at least one resolver that is ready for the rollover will see no change in their use of the DNS or the Internet in general after the rollover. (The same is true for users whose resolvers do not perform DNSSEC validation at all. Current estimates are that about two-thirds of users are behind resolvers that do not yet perform DNSSEC validation.)

Lastly, while the rollover is currently planned to take place on 11 October 2018, this date is pending ratification by the ICANN Board.


Related Articles