David Goldstein - ICANN To Change Root Zone Key In Major Security Update


    On 11 October, for the first time, ICANN will be changing the cryptographic keys that help secure the internet’s Domain Name System (DNS) in an important step in keeping the internet safe and secure. It will be the first time the root's KSK key pair will be changed since it was generated in 2010.

    “It is critical that Internet Service Providers and network operators around the world make certain they are ready for this change as failure to do so can result in their users being unable to look up domain names and thus be unable to reach any site on the Internet” said David Conrad, ICANN‘s Chief Technology Officer. “Network operators should ensure they have up-to-date software, have enabled DNSSEC, and verified that their systems can update their keys automatically or they have processes in place to manually update to the new key by 16.00 UTC on 11 October 2017.”

    The multi-step KSK rollover process basically involves generating a new cryptographic key pair and then distributing the new public key. Internet service providers, enterprise network operators and others performing DNSSEC validation must ensure their systems are updated with the public part of the new KSK in order to assure trouble-free internet access for their users. The KSK plays an important role in protecting internet users from domain name hijacking by validating DNS data. As the phrase implies, domain name hijacking is taking control of a domain name, often by those with malicious intent who may be seeking illicit financial gain. For example, attempts to access bank account information may result in redirecting users to a site that steals identification and passwords.

    The change has come about following recommendations from the ICANN community. The commuity recommended the cryptographic keys used to sign the root zone should be periodically changed to help maintain the integrity of the infrastructure that depends on those keys and ensure that security best practices are followed. Developers of software supporting DNSSEC validation should ensure their product supports RFC 5011. If their products do, then the KSK will be updated automatically at the appropriate time. For software that does not conform to RFC 5011, or for software which is not configured to use it, the new trust anchor file can be manually updated.

    For anyone that needs more information on the KSK rollover, ICANN has published resources with updates.