The Domain Name System Security Extensions (DNSSEC) protocol was supposed to be made more secure by implementing a special cryptographic key known as KSK (Key Signing Key) into the core Internet DNS servers. The Internet Corporation for Assigned Names and Numbers (ICANN), however, is reporting that many internet service providers haven’t put the necessary things in place, and are having technical faults, which is preventing this move.
Within the DNSSEC protocol, the KSK is designed to play a major role, vouching for the root zone, which is the ‘highest’ area of DNS (.com, .org, etc). If a client makes a DNS request on a server that is set up to use DNSSEC, it will then check the DNS response for validity by comparing it to other authoritative servers. KSK and ZSK keys are what is used to verify the authenticity of the data.
The hope was that DNSSEC would eventually replace DNS so that bad actors on the net wouldn’t be able to force users false DNS responses, which would route their traffic to the wrong servers where it could be infected or otherwise manipulated.
According to ICANN, if they pushed forward with their desired changes, it would cause 60 million users to go offline, which is obviously unacceptable. They will continue to push ISPs to update their systems, and are hoping to be able to move forward with this added security by the first quarter of 2018. Until then, marketers and all internet users are less safe than they otherwise could be.
