The Internet Corporation of Assigned Names and Numbers (ICANN) has published a guide to let people know what to expect when it changes the cryptographic keys that help protect the Internet’s Domain Name System (DNS). The changing of the keys, known as the “Root Key Signing Key (KSK) Rollover” is scheduled for 11th of October 2018. The new ICANN guide is intended for those with all levels of technical expertise and will help everyone prepare for the rollover. This is part of the ICANN’s ongoing efforts to raise awareness of the rollover and will also share more details on the rollover process.
The guide can be accessed on ICANN’s website. While ICANN expects user impact from the root KSK rollover to be minimal, a small percentage of Internet users are expected to see problems in resolving domain names, which in lay terms means they will have problems reaching their online destination. There is currently a small number of Domain Name System Security Extensions (DNSSEC) validating recursive resolvers that are misconfigured and some of the users relying upon these resolvers may experience problems. This document describes which users are most likely to see problems, and among those – what types of issues they will face at various times.
Data analysis suggests that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Users who use at least one resolver that is ready for the rollover will see no change in their use of the DNS or the Internet in general after the rollover. (The same is true for users whose resolvers do not perform DNSSEC validation at all. Current estimates are that about two-thirds of users are behind resolvers that do not yet perform DNSSEC validation.)
Though the rollover is currently planned to take place on the 11th of October 2018, the ICANN Board is yet to ratify this date.