Lack of ISP readiness halts DNS secure key change

An update to the digital security key for the domain name system (DNS) has been postponed due to a lack of readiness from some network operators.

The Internet Corporation for Assigned Names and Numbers (ICANN) had originally scheduled the key rollover for the top-level DNS on October 11 this year, extensively communicated the change, and provided a testing platform for operators as well.

ICANN said the update was an important step in keeping the global DNS safe and secure, but at the same time warned operators that they had to be ready for the change, or their users would be unable to look up domain names and reach large parts of the internet as a result.

Despite the publicity around the issue, ICANN now says new data shows internet providers and network operators are not yet ready for the change.

Rather than go ahead and risk internet breakage for 750 million people - or a quarter of all internet users that use DNS security extensions that depend on the functioning credentials - ICANN decided to postpone the key rollover.

"We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October,” ICANN chief executive Göran Marby said.

“It would be irresponsible to proceed with the rollover after we have identified these new issues that could adversely affect a significant number of end users."

The issues identified by ICANN include providers not configuring their resolver software properly, and a bug in an unnamed but widely-used program not updating the key automatically as expected as per RFC 5011.

If the validating resolver in question has an incorrect implantation of RFC 5011, or if its automated trust anchor update protocol is incorrectly configured, then updates during the key rollover might not work properly.

Should that happen, domain name resolution will fail after the key rollover.

ICANN hopes providers will sort out the issues and hopes to reschedule the key rollover to take place in the first quarter of next year, but the organisation has not set a specific date yet.

The current key for the DNS remains secure and can be used until the new one can be deployed, ICANN said.