Current magazine

ICANN to change keys, urgent updates required


UPDATE (28/9/2017): ICANN has postponed the key roll date as it found a significant number of resolvers used by ISPs and network operators are not ready for the move. Operators may not have installed the new key in their systems because their resolver software may not be properly configured or a recently discovered issue in a widely used resolver program appears to not be automatically updating the key as it should.

“The security, stability and resiliency of the domain name system (DNS) is our core mission. We would rather proceed cautiously and reasonably than continue with the roll on 11 October,” said Göran Marby, CEO, ICANN.

Changing the key involves generating a new cryptographic key pair and distributing the new public component to the DNS security extensions-validating resolvers. An estimated one-in-four global Internet users or 750 million people could be affected by the rollover. A new date for the key roll has not yet been determined but is expected to be in 1Q18. 


The Internet Corporation for Assigned Names and Numbers (ICANN) will change the cryptographic keys that help secure the Internet’s Domain Name System (DNS). Internet Service Providers (ISPs) and network operators around the world must update their keys accordingly.

“Failure to do so can result in their users being unable to look up domain names or reach any site on the Internet,” said David Conrad, chief technology officer, ICANN. “Network operators should ensure they have up-to-date software, have enabled DNSSEC, and verified that their systems can update their keys automatically, or they have processes in place to manually update to the new key by 1600 UTC on 11 October 2017.”

The “rolling” of the key is an important step to keep the global DNS safe and secure. It is done to ensure that important security infrastructure can support changing passwords if the need ever arises.

ICANN has been working with technical partners such as the Regional Internet Registries, Network Operations Groups, and domain name registries and registrars, as well as others in the Internet ecosystem such as the Internet Society and trade associations, to ensure anyone who may be impacted by the key roll is aware of the impending change.

ICANN also sent correspondence to over 170 government officials including regulators and participants in ICANN’s government advisory committee, asking them to make certain the network operators in their respective countries are aware and ready for the key change.

“We’ve launched a testing platform so network operators can make certain they are ready for the key roll well before 11 October,” Conrad said.

For more information, visit


About Author

Leave A Reply