Slashdot: ICANN Delays KSK Rollover Because of Lazy ISPs, Technical Faults

ICANN Delays KSK Rollover Because of Lazy ISPs, Technical Faults
Published on October 01, 2017 at 01:32PM
ICANN had planned to change the master key used to sign secure Domain Name System records next week for the first time in history. But now an anonymous reader writes:Inattentive ISPs and technical faults have led the Internet Corporation for Assigned Names and Numbers (ICANN) to delay the KSK Rollover for next year. ICANN was supposed to remove the root encryption KSK key from core DNS servers on October 11 and allow a new one to take effect. The key is used for the DNSSEC protocol. According to ICANN, between 6% to 8% of ISPs did not install the new KSK key to replace the one issued in 2010. The organization says that if it had gone forward with the original KSK Rollover plan, over 60 million Internet users would have been unable to make DNS requests. For the vast majority, ICANN blames lazy ISPs, which failed to update their existing keys. ICANN also believes that many ISPs may not be aware they had not installed the latest KSK. ICANN also distributed software to automatically pull down and install the new KSK. Some ISPs opted to use this software, which apparently had some bugs and failed to download and install the new KSK, in some situations. Because of this, ICANN announced this week it would delay the KSK Rollover final step — of removing and revoking the original KSK key — to the first quarter of 2018. ICANN has not decided yet on a precise date.