The Board of Directors for the Internet Corporation of Assigned Names and Numbers (ICANN) has approved plans for the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) – the Internet’s address book.
During a 16 September meeting in Belgium, the ICANN Board passed a resolution, directing the organization to proceed with its plans to change or “roll” the key for the DNS root on 11 October 2018. It will mark the first time the key has been changed since it was first put in use in 2010.
“This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN’s mission, which is to ensure a secure, stable and resilient DNS” said ICANN Board Chair Cherine Chalaby. “There is no way of completely assuring that every network operator will have their ‘resolvers’ properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone.”
Some Internet users might be affected if the network operators or Internet Service Providers (ISPs) have not prepared for the roll. Those operators who have enabled the checking of Domain Name System Security Extensions or DNSSEC information (a set of security protocols used to ensure DNS information isn’t accidentally or maliciously corrupted) are those who need to be certain they are ready for the roll.
“Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the Internet’s users rely on those operators,” said David Conrad, ICANN’s Chief Technology Officer. “It is almost certain there will be at least a few operators somewhere across the globe who won’t be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS.”
The changing of the DNS root key was originally scheduled to happen a year ago, but plans were put on hold after the ICANN organization found and began analyzing some new, last-minute data. That data dealt with the potential readiness of network operators for the key roll.
An analysis ultimately led the organization to believe it could safely proceed with the changing of the key. As a result, the organization, after consultation with the community, developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. In the intervening time, the organization has continued extensive outreach and investigations on how to best mitigate risks associated with the key change.
The ICANN Board, during its 16 September meeting, passed a resolution approving the plan, and with that, the ICANN org has set in motion its plans to change key at 4PM UTC on 11 October 2018.
“This is the first root key change, but it won’t be the last,” said Matt Larson, Vice President of Research at ICANN and the organization’s point person for the key roll. “This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible, but as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice.”