October 1, 2018

ICANN approves change of DNS Cryptographic Key

The move aims to build a secure, resilient and stable DNS (Domain Name System) by ‘rolling’ the key for the first time in 8 years.


Internet authority ICANN have decided to change the cryptographic key that helps protect the DNS (Domain Name System). With this change, ICANN aims to build a secure, resilient and stable DNS (Domain Name System) for its partners, customers and stakeholders by ‘rolling’ the key for the first time in 8 years.

According to ICANN, the rolling of the key was originally planned years ago but got delayed since a large number of resolvers used by ISP and Network providers were hesitant over the key rollover. However, ICANN say that a new DNS protocol feature allows the resolver to report back to the root servers for the keys it has configured, thus allowing service and network providers to be open to the key rollover.

ICANN say that the latest research data depicted a willingness amongst service providers to change the DNS Cryptographic key. After conducting a board meeting in Belgium on Sept. 16th, ICANN claim that the board accepted the key rollover decision with a majority voting for the change.

Chairman of the ICANN Board, Cherine Chalaby, commented:

This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN’s mission, which is to ensure a secure, stable and resilient DNS.

There is no way of completely assuring that every network operator will have their ‘resolvers’ properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone.

The internet authority is aware of the fact that some internet users might be affected if the network operators or Internet Service Providers (ISPs) have not prepared for the roll.

Explaining this, David Conrad, ICANN’s Chief Technology Officer, commented:

It is almost certain there will be at least a few operators somewhere across the globe who won’t be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS.

Industry experts opine that this major shift by ICANN is bound to affect most enterprises and internet users just as the WHOIS changes made by them did just before the GDPR deadline.