ICANN had scheduled its first-ever DNSSEC zone signing key (ZSK) change for 11 October, but that event has been postponed.
The original ZSK was generated in 2010, but that 1024-bit key is now the weak link in the signing chain. The top-level key signing key (KSK) is already 2048-bit, and the ZSK is being brought up to the same standard.
The longer key increases the size of responses from domain name servers, so careful testing was required to make sure DNS software could cope. DNS is central to the operation of the Internet, as it is the component that links human-readable domains such as itwire.com to the IP address of the relevant server.
In particular, one widely used resolver is not accepting automatic key updates, but other issues include improperly configured software.
"The security, stability and resiliency of the domain name system is our core mission. We would rather proceed cautiously and reasonably, than continue with the roll on the announced date of 11 October," said ICANN chief executive Göran Marby.
"It would be irresponsible to proceed with the roll after we have identified these new issues that could adversely affect a significant number of end users."
ICANN believes that number could be as high as 750 million, a quarter of the Internet community. Not all users are affected, because not all DNSes use DNSSEC.
The key roll has been tentatively rescheduled for 1Q18, but the new date will be announced "as appropriate".
Marby added: "It's our hope that network operators will use this additional time period to be certain that their systems are ready for the key roll."