ICANN published a detailed guide on what to expect during a KSK update in the root zone.

Original Author: ICANN Office of the CTO
  • Transfer

ICANN is preparing for the first-ever change of cryptographic keys that serve as protection for the Internet Domain Name System (DNS), in connection with which it published a manual describing what to expect in this process.

Link to news text from ICANN .

The key change, a process known as “key signing key (KSK) renewal,” is scheduled for October 11, 2018.

This new ICANN guide is intended for an audience with any level of technical expertise. The information it provides on what to expect is intended to help everyone prepare for the key update.

The guide is published as part of the ongoing work of ICANN to raise awareness about the renewal of the key, it also provides a detailed description of the entire process.

The full manual is available here .

The guide is most useful for operators of validating resolvers who want clear instructions on what to expect after updating the key, as well as for non-technical journalists, bloggers and others who plan to write about updating the key before, during and after the event itself.

In addition, the document may be useful to researchers who will monitor the DNS for failure of resolvers after the completion of the key renewal procedure.

Although ICANN assumes that the KSK change in the root zone will be minimal for users, it is expected that a small percentage of Internet users will have difficulty resolving domain names, which means that they will have problems reaching an online destination in a non-technical language. .

Currently, a small number of recursive resolvers that validate Domain Name System Security Extensions (DNSSEC) have the wrong configuration, which some users may be dependent on depending on these resolvers.

This document describes which users may have difficulties and types of these difficulties at different stages.


Who will not be affected by the update:

  • On users who depend on the resolver with the latest KSK
  • On users who depend on the resolver, in which DNSSEC validation is not enabled

Who will be affected by the update and how:
If a new KSK is not specified in the resolver trust anchor configuration, then within 48 hours after the key update is completed, users will begin receiving messages about the inability to resolve the name (usually in the form of server failure or SERVFAIL errors).

NOTE: It is not possible to predict when operators of resolvers that are affected by the update will notice that they have stopped validating.

The results of the analysis allow us to conclude that over 99% of users whose resolvers perform validation will not be affected by the KSK update.

Users using at least one resolver ready to upgrade will not notice any changes in the use of DNS and the Internet in principle after the upgrade (the same can be said about users whose resolvers do not have DNSSEC validation. At the current time, it is estimated that two-thirds of users use resolvers in which DNSSEC validation is not included).

And finally, although the key update is now scheduled for October 11, 2018, this date is still subject to ratification by the ICANN Board.

Information about everything related to the key update is available here .

Also popular now: