Internet Corporation of Assigned Names and Numbers (ICANN) is finally performing a root zone DNSSEC KSK roll-over to strengthen the security of domain name system (DNS).
DNSSEC (Domain Name System Security Extensions) is a set of security protocols used to ensure DNS information isn’t accidentally or maliciously corrupted. It protects against cyberattacks by proving authenticity and integrity of a response from the nameserver.
The DNSSEC KSK roll-over means that a new cryptographic public and private key pair will be generated for the DNS root and distributed to intended parties. These parties include internet service providers, enterprise network administrators, DNS resolve operators, DNS resolver software developers, etc.
“This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN’s mission, which is to ensure a secure, stable and resilient DNS” said ICANN Board Chair Cherine Chalaby.
“There is no way of completely assuring that every network operator will have their ‘resolvers’ properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone.”
The change in cryptographic key for DNS root is being changed for the first time since it was first put in use in 2010.
ICANN had scheduled to change the DNS root key around a year ago but postponed its plans to analyze new last-minute data. The company said that the new data dealt with the potential readiness of network operators for the change in cryptographic key for DNS root.
“Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the Internet’s users rely on those operators,” said David Conrad, ICANN’s Chief Technology Officer.
“It is almost certain there will be at least a few operators somewhere across the globe who won’t be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS.”
The company said that this is the first root key change, but it won’t be the last. ICANN will make sure that the changes are adapted smoothly as many network operators and ISPs aren’t familiar to the practice.
The DNS root key will be changed at 4PM UTC on 11th October 2018. A small number of ISPs and network operators are currently misconfigured. Hence, ICANN expects that a very small proportion of users who rely on misconfigured DNNSEC resolvers might face issues in resolving domain names.