• United States
Senior Editor

ICANN’s internet DNS security upgrade apparently goes off without a glitch

News Analysis
Oct 12, 20183 mins
Enterprise ApplicationsInternetSecurity

DNS Root KSK rollover happened Oct. 11 and will tighten security for the internet’s address book

ipsecurity protocols network security vpn3
Credit: Thinkstock

So far, so good. That’s the report from Internet Corporation for Assigned Names and Numbers (ICANN) as it rolled out the first-ever changing of the cryptographic key that helps protect the internet’s address book – the Domain Name System (DNS) on Oct. 11.

The change is central to ICANN’s project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — commonly known as the root zone key signing key (KSK) — which secures the internet’s foundational servers. This so-called root KSK rollover from the 2010 KSK to the 2017 KSK was supposed to take place almost a year ago but was delayed until Oct. 11 of this year because of concerns it might disrupt internet connectivity to significant numbers of web users.

But so far, that hasn’t happened.

ICANN wrote: “The root KSK rollover has occurred: the new root zone signed by new KSK (known as KSK-2017) has been published to the root servers. The root KSK rollover occurred at 1600 UTC [noon EST] today, 11 October, with the publication of the root zone with serial number 2018101100. Please see the main rollover page for further information on the rollover.”

Later it followed up with, “In the first six hours after the rollover, there were a few reports of problems that were mostly fixed quickly.”

Status of the rollover can be followed here.

The ICANN Board last month decided to go ahead with the rollover after delaying the procedure for a year. ICANN predicted minimal impact from the rollover but warned a small percentage of internet users could see problems resolving domain names, which means they might have problems reaching their online destinations.

ICANN said for enterprise users, the move should have had little impact. First of all, ICANN said more than 99 percent of users whose resolvers are validating will be unaffected by the KSK rollover. Enterprises should have already updated their software to do automatic key rollovers (“RFC 5011” rollovers) or manually installed the new key before the rollover date.   

During its meeting, ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of  Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated. 

The KSK rollover involved generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like into IP network addresses. 

Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root’s “trust anchor,” ICANN said.