ICANN Postpones Major Internet Security Update

Written by

Internet oversight body ICANN has postponed plans to change the cryptographic key that protects the global Domain Name System (DNS), claiming that some infrastructure operators aren’t ready.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to Domain Name System Security Extensions (DNSSEC)-validating resolvers.

However, newly-obtained data appears to show that a 'significant' number of resolvers used by ISPs and network operators aren’t yet ready, potentially affecting as many as 750 million netizens.

ICANN claimed there could be multiple reasons why resolvers aren’t ready for the key rollover, including misconfigured resolver software.

ICANN said it is reaching out to its Security and Stability Advisory Committee, the Regional Internet Registries, Network Operator Groups and other stakeholders to try and fix the issues.

“The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October," said ICANN president and CEO, Göran Marby.

"It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect its success and could adversely affect the ability of a significant number of end users."

The so-called “key signing key” (KSK) rollover was slated for October 11 but will now be postponed. ICANN's Office of the Chief Technology Officer is hoping to reschedule for the first quarter of 2018, but that will depend on how easy the problem is to fix.

In the meantime, Marby suggested network operators use the extra time to get their systems in order, using ICANN’s testing platform to ensure their resolvers are properly configured with the new key.

The KSK rollover is part of a process to make the internet more secure which began all the way back in May 2016.

What’s hot on Infosecurity Magazine?