DNSSEC

Inattentive ISPs and technical faults have led the Internet Corporation for Assigned Names and Numbers (ICANN) to delay the KSK Rollover for next year.

KSK stands for the key signing key, a special cryptographic key used by core Internet DNS servers. The KSK is part of the Domain Name System Security Extensions (DNSSEC) protocol, a more secure version of the classic DNS protocol.

DNSSEC, KSK, and the KSK Rollover

The DNSSEC protocol uses encryption keys to digitally sign data stored in DNS records as a way to prevent DNS spoofing attacks.

Inside the DNSSEC protocol, the KSK plays the biggest role, as it vouches for the root zone, the highest area of the DNS structure. Domain zones, such as .com, .org, and others, use zone signing keys (ZSKs), while other servers use DNS public keys. All in all, the DNSSEC encryption system looks like a tree, with the KSK key on top, similar to how certificate stores work in personal computers.

When a client makes a DNS request on a server that supports DNSSEC, it checks the DNS response's validity against an authoritative DNS server. KSK and ZSK keys are used to verify the data's authenticity.

ICANN set up this complex system hoping that one day, DNSSEC will slowly replace the classic DNS protocol, and network-level attackers won't be able to force-feed users false DNS responses and lead users to the wrong servers.

ICANN was planning to replace the seven-year-old KSK key

When it set up DNSSEC, ICANN knew it had to replace the KSK key at regular intervals to prevent any attackers from obtaining a copy of the private key.

ICANN issued the first KSK key back in 2010, and in October 2016 issued the first replacement key.

According to ICANN's original plans, core DNS servers were supposed to run with the old and the new KSK keys side by side, as ISPs migrated to the new KSK in a process called KSK Rollover.

60 million users would have gone offline

According to an announcement published this week, ICANN says that many network operators failed to install the new KSK key on their infrastructure.

ICANN puts this number at between 6% and 8% of all network providers. The organization says that if it had gone forward with the original KSK Rollover plan, over 60 million Internet users would have been unable to make DNS requests on October 11, when ICANN was supposed to remove the old KSK key from the core DNS servers.

For the vast majority, ICANN blames lazy ISPs, which failed to update their existing keys.

ICANN also believes that many ISPs may not be aware they had not installed the latest KSK. Some ISPs set up software to automatically pull down and install the new KSK, which apparently had some bugs and failed to download and set up the new KSK, in some situations.

Because of this, ICANN announced this week it would delay the KSK Rollover final step — of removing and revoking the original KSK key — to the first quarter of 2018. ICANN has not decided yet on a precise date.