Securing the Internet’s address book
Since a DNS KSK, or key signing key, roll over on October 11, 2018 – just a week ago – the Internet Corporation for Assigned Names and Numbers (ICANN), is pleased to report that the event happened without a glitch.
With the fate of practically the whole Internet depending on a glitch-free rollover, it’s only fair to delve a little further into what it all actually is.
In a nutshell, it means that ICANN is tightening security of the Internet’s address book – the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, was upgraded. This is the first time this has ever been done, and ICANN was kind enough to publish a guide about what to expect – a small percentage of Internet users are expected to face problems resolving domain names, or in other words, getting to their online destinations.
Enterprise IT News speaks to Infoblox’s Chief DNS Architect, Cricket Liu, about their view of the whole exercise.
EITN: How often does ICANN maintain the DNS?
Cricket: Well, ICANN is responsible for DNS’s root zone, which is the container, if you will, that contains delegation to top-level domains such as .com, .net, my, and .sg. The root zone doesn’t change that often: Usually, it changes because delegation to a top-level domain changes or a top-level domain is added or deleted. In this recent case, however, one of the root zone’s public keys changed.
EITN: What does Infoblox observe, when this happens?
Cricket: In the case of changes to delegation, generally nothing. But in the case of this key rollover, we’re prepared to guide our customers through making any changes necessary to their DNS servers’ configurations.
EITN: Are there any special things to note ie. any particular countries or users, that are impacted more than others?
Cricket: No. These changes affect the entire Internet.
EITN: What exactly does it take to change cryptographic keys of the DNS?
Cricket: ICANN generated a new public key for the root zone over a year ago and published it alongside the old one. What’s notable is that on 11th October, ICANN removed the old public key. Prior to that date, DNS servers whose configurations hadn’t been updated with the new key would continue to work, but as of 11th October, 2018, those DNS servers would no longer work.
The required change is very simple: A DNS administrator just needs to update a snippet of configuration in his DNS server’s configuration file, or even just update to a newer version of his DNS server software.
More information can be found here: https://www.icann.org/resources/pages/ksk-rollover/#overview