Internet-wide security update put on hold over fears 60 million people would be kicked offline


A multi-year effort to update the internet’s overall security has been put on hold just days before it was due to be introduced, over fears that as many as 60 million people could be forced offline.

DNS overseer ICANN announced on Thursday it had postponed the rollout of a new root zone “key signing key” (KSK) used to secure the internet’s foundational servers after it received fresh information that indicated its deployment would be more problematic than expected.

The KSK acts as an anchor for the global internet: it builds a chain of trust from the root zone down through the whole domain name system so that DNS resolvers – software that turns addresses like theregister.com into network addresses like 159.100.131.165 – can verify they’re getting good valid results to their queries.

Internet engineers knew that introducing a longer and hence more secure public-private key pair would cause some old and poorly configured systems to throw out errors, and so have embarked on a slow rollout that started back in May 2016.

In recent weeks, ICANN representatives have been attending conferences to warn ISPs and other internet infrastructure companies about the change and set up an online test for people to check if their systems will work. The change was due to take place on October 11, and just last week ICANN was confident that any problems would be minimal.

However, analysis of data provided by dot-com operator Verisign, via DNS protocol RFC 8145, and then confirmed by ICANN revealed a roadblock on the information superhighway.

Read more…

Source: The Register