Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



DNSSEC Key Rollover Delayed to Prevent Users Going Offline

The Internet Corporation for Assigned Names and Numbers (ICANN) announced this week that the replacement of the root zone key signing key (KSK) for the Domain Name System Security Extensions (DNSSEC) protocol has been postponed by at least one quarter due to the failure of some network operators to install the new key.

The Internet Corporation for Assigned Names and Numbers (ICANN) announced this week that the replacement of the root zone key signing key (KSK) for the Domain Name System Security Extensions (DNSSEC) protocol has been postponed by at least one quarter due to the failure of some network operators to install the new key.

ICANN estimates that roughly 750 million people worldwide are affected by the KSK rollover. The change of the key was initially planned for October 11, but ICANN has recently learned that many network operators and Internet service providers (ISPs) are not prepared, which would lead to tens of millions of users going offline.

Data provided by a recently added DNS protocol feature has allowed ICANN to see how many DNSSEC-validating resolvers have been configured with the new root KSK. The data shows that roughly 6-8% of these systems still use the KSK from 2010, the year when the DNSSEC protocol was introduced.KSK rollover postponed by ICANN

This means that as many as 60 million users may have been kicked off the Internet had ICANN decided to stick to the original date of October 11.

“Throughout the project we have emphasized that the root KSK is being rolled under normal operational conditions and have proceeded cautiously and without haste,” explained Matt Larson, VP of Research at ICANN’s Office of the CTO. “The decision to postpone was taken in that spirit of caution because there is no operational pressure to proceed given our continued confidence in the security of KSK-2010.”

While some network operators may need to manually configure the new KSK and they have failed to do so, ICANN believes some organizations may not know they are unprepared for the key rollover. These organizations configured their systems to automatically update the key, but the process failed due to software defects, operator errors or some other cause.

A new date has not been set for the key rollover, but ICANN has decided to delay it for at least one quarter.

DNSSEC and the KSK rollover

Advertisement. Scroll to continue reading.

Since DNS, the system that translates domain names to IP addresses, was not designed with security in mind, the DNSSEC protocol was introduced to prevent users from being directed to malicious websites via DNS spoofing attacks.

DNSSEC aims to achieve this by cryptographically signing DNS information, including the root zone, which is the highest level of the DNS structure. If DNSSEC is used, the root zone vouches for the public key of the .com zone (or other TLD zone), which in turn vouches for all .com domains. Since the root zone is at the top of the DNS hierarchy, there is no higher level to vouch for it so its zone key is configured as a “trust anchor,” a key that is declared trustworthy.

The trust anchor key is called a key signing key (KSK), and all recursive name servers performing DNSSEC validation need to have the root zone’s KSK set as a trust anchor. These name server are typically operated by Internet service providers (ISPs) and enterprises, and if the KSK is not configured properly, DNS resolution will not work for their users.

Since it could get compromised, ICANN plans to periodically change, or roll, the KSK. A new KSK was generated in October 2016 and the plan was to have it replace the original key by October 11. According to the initial schedule, the old KSK would have been revoked on January 11, 2018.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...