ICANN had been intending to rollout a new root zone “key signing key” (KSK) on October 11. This key is used to secure the DNS servers that act as the Internet’s address book, mapping human-friendly domain names to numerical IP addresses of individual servers.
The key forms the basis of a trust chain for the entire Internet, so DNS resolvers – the infrastructure your ISP uses to translate “digitaljournal.com” to “38.117.74.211” – can be confident the server at 38.117.74.211 really is the one behind “digitaljournal.com.”
ICANN’s changing the key to make it longer and more secure. This will ultimately boost the Internet’s global protection and make the domain name system more robust. However, with less than two weeks until the rollout was due, it’s emerged that vast swathes of the Internet aren’t ready for the change.
Because the new key is based on a different standard, older DNS resolvers will need an upgrade to accept it. Aware of this, ICANN has been slowly transitioning to the new key since May 2016. Over half of the affected servers are still reporting they have the old key installed though. This poses a big problem for ICANN, since switching off support for the legacy version would stop customers of the impacted ISPs from using the web.
READ NEXT: ‘Network’ issue causes worldwide airline check-in delays
ICANN has estimated that a quarter of all Internet users could be affected if the key is disabled. This would have an immediate impact on the lives of around 60 million people, making it unthinkable to proceed with the rollout. In a worst case scenario, 750 million web users might be knocked offline.
ICANN’s been forced to drop the plan, saying it would be “irresponsible” to continue. It has “tentatively” rescheduled the change to be complete by March 2018 and will be reaching out to service providers to ensure they’re ready.
“The security, stability and resiliency of the domain name system is our core mission,” said Göran Marby, ICANN CEO. “It would be irresponsible to proceed with the roll[out] after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users.”
The problems experienced while introducing the new key demonstrate how much work is required to complete an Internet-wide security upgrade. Even after a year-long grace period where the old and new keys have coexisted, many providers are still not ready to make the switch. ICANN intends to create a public list of all the DNS resolvers still using the outdated key, encouraging the community to identify their owners and work out a way of updating them.
