ICANN Delays Changing Keys Protecting the Domain Name System

Los Angeles, California… The Internet Corporation for Assigned Names and Numbers ("ICANN") today announced that the plan to change the cryptographic key that helps protect the Domain Name System (DNS) is being postponed.

The changing or "rolling" of the key was originally scheduled to occur on 11 October, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.

There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

"The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October," said ICANN CEO Göran Marby. "It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect a significant number of end users."

Changing the key involves generating a new cryptographic key pair and distributing the new public component to the Domain Name System Security Extensions (DNSSEC)-validating resolvers. Based on the estimated number of Internet users who use DNSSEC validating resolvers, an estimated one-in-four global Internet users, or 750 million people, could be affected by the KSK rollover.

ICANN is reaching out to its community, Regional Internet Registries, Network Operator Groups and others to help explore and resolve the issues.

A new date for the Key Roll has not yet been determined. ICANN's Office of the Chief Technology Officer says it is tentatively hoping to reschedule the Key Roll for the first quarter of 2018, but it will be dependent on more fully understanding the new information and mitigating as many potential failures as possible. In the meantime, ICANN remains confident in the security of the current cryptographic key and by extension, the security of the DNS.

ICANN will provide additional information as it becomes available and the new Key Roll date will be announced as appropriate.

"It's our hope that network operators will use this additional time period to be certain that their systems are ready for the Key Roll," said Marby. "Our testing platform (http://go.icann.org/KSKtest) will help operators ensure that their resolvers are properly configured with the new key and we will continue our engagement and communications to these operators."

About DNSSEC

To easily identify resources on the Internet, the underlying numerical addresses for these resources are represented by human readable strings. The conversion of these strings to numbers is done by the distributed hierarchical Domain Name System (DNS). Increased sophistication in computing and networking since its design in 1983 have made this "phone book" vulnerable to attacks. In response to these threats, the international standards organization, IETF, developed DNSSEC to cryptographically ensure DNS content cannot be modified from its source without being detected. Once fully deployed, DNSSEC will stop the attacker's ability to redirect users using the DNS.

##

To keep informed about KSK Rollover developments go here: https://www.icann.org/resources/pages/ksk-rollover

On social media use: #Keyroll

# # #

Media Contacts

Brad White
Director of Communications, North America
Washington, D.C.
Tel: +1 202 570 7118
Email: brad.white@icann.org

Alexandra Dans
Senior Manager, Latin America and Caribbean Communications
Montevideo, Uruguay
Tel: +598 95 831 442
Email: alexandra.dans@icann.org

About ICANN

ICANN's mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world. ICANN and its community help keep the Internet secure, stable and interoperable. It also promotes competition and develops policy for the top-level of the Internet's naming system and facilitates the use of other unique Internet identifiers. For more information please visit: www.icann.org.

 Keyword Research Tool

ICANN CTO Tours Asia To Engage the Technical Community and Regional Stakeholders

SINGAPORE … Internet Corporation for Assigned Names and Numbers (ICANN) Chief Technology Officer (CTO) David Conrad kicks off a four-city Asia tour to engage regional stakeholders and technical community today.

Conrad is visiting China, India, Japan and Singapore over two weeks. He will be meeting regional stakeholders to share information about ICANN's technical role in the domain name ecosystem, and explore potential partnership opportunities in the technical field. He will also visit major technology firms and research institutions to better understand key regional technological developments.

"The mission of my office is to constantly improve knowledge and technical operation of the unique identifiers of the domain name system that ICANN helps to coordinate. This tour is very much in support of that fact-finding and knowledge sharing mission," said David Conrad, ICANN CTO.

"I used to live in Asia and appreciate the creativity and innovation that emerges from this region. I'm hoping to find some 'hidden gems' and opportunities to collaborate in areas such as further improving the security, stability and resiliency of the Internet's global identifier systems," he continued.

During the visit, Conrad will meet with regional ICANN community representatives including government, contracted parties, technical community and academia to discuss topics such as:

  • Domain Name System (DNS) security – the DNS translates names into numbers called Internet Protocol (IP) addresses. ICANN coordinates this addressing system to ensure that all the addresses are unique and we can have one global Internet. DNS security looks at measures to protect the DNS e.g. safeguarding your server.
  • DNS Security Extensions (DNSSEC) – this is a suite of extensions that add security to the DNS protocol by enabling DNS responses to be validated. This technology was developed to protect against vulnerabilities in the DNS that allow an attacker to hijack any step of the DNS lookup process and take over control of a session. Full deployment of DNSSEC will ensure that the end user is connecting to the actual website or service corresponding to a particular domain name.
  • Key Signing Key (KSK) Rollover – ICANN is changing of the "top" pair of cryptographic keys used in DNSSEC protocol to protect the DNS. The KSK rollover will take place on 11 October 2017. All network operators who have enabled DNSSEC validation must update their systems to ensure that services are not interrupted on 11 October.
  • Public Technical Identifiers (PTI) – an affiliate of ICANN, PTI is responsible for the operational aspects of coordinating the Internet's unique identifiers and performs the IANA functions for domain names, number resources and protocol parameters.

"I'm very happy that David is here to engage with the Asia stakeholders. We hope that through this trip, we can increase the region's contribution and participation to ICANN, especially from the technical perspective," said Jia-Rong Low, Vice President and Managing Director, ICANN Asia Pacific.

Office of the CTO (OCTO)

The OCTO supports improving the security, stability and resiliency of the Internet's system of unique identifiers. The team researches issues relating to these identifiers and provides capacity building training for DNS, DNSSEC and Security. OCTO also participates in various international technical and security community groups.

For more information about OCTO, please visit here.
For more information about technology@ICANN, please visit here.
For more information about DNSSEC, please visit here.
For more information about the pending Key Roll, please visit here.
For more information about PTI, please visit here.

###

Media Contacts

Liana Teo
Head of Communications, APAC
Singapore
Tel: +65 9765 5500
Email: liana.teo@icann.org

Fiona Aw
Global Communications Coordinator
Singapore
Tel: +65 9113 6621
Email: fiona.aw@icann.org

About ICANN

ICANN's mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address into your computer or other device – a name or a number. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world.

For more information, please visit: www.icann.org