CIO

ICANN sets plan to reinforce Internet DNS security

The Internet Corporation for Assigned Names and Numbers will soon implement DNS Root KSK rollover to bolster Internet’s address book

In a few months, the Internet will be a more secure place.

That’s because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the Internet’s address book – the Domain Name System (DNS).

The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on October 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010.

During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of  Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated.

“Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak,” ICANN stated.

The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN.  The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses.

Resolvers include: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor," ICANN states.  

ICANN noted that due to the lack of significant deployment of Domain Name System Security Extensions (DNSSEC validation), responses from the Root Server System remains at risk from integrity attacks.

Similarly, as a result of DNS messages assumed to be sent unencrypted, the users of the Root Server System (i.e., resolvers) are subject to confidentiality attacks. While these attacks are not necessarily new, the ever-increasing reliance on DNS and hence, the Root Server System, suggests a new strategy is needed to reduce the effect of these attacks, ICANN stated.

ICANN says it expects minimal user impact from the rollover but a small percentage of Internet users could see problems in resolving domain names, which means they will have problems reaching their online destination.

For enterprise users the move should have little impact.  First of all, ICANN says that more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover.  Enterprises should have already updated their software to do automatic key rollovers ("RFC 5011" rollovers) or manually installed the new key by now.  

"There is no way of completely assuring that every network operator will have their 'resolvers' properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone." ICANN Board Chair Cherine Chalaby said in a statement.

Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the Internet's users rely on those operators, said David Conrad, ICANN's Chief Technology Officer. "It is almost certain there will be at least a few operators somewhere across the globe who won't be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS."

The Root KSK Rollover from the 2010 KSK to the 2017 KSK version was supposed to take place almost a year ago but was delayed until Oct. 11 of this year because of potential Internet connectivity disruption concerns.

But ICANN said that after consultation with the community, developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. The organisation has continued outreach and investigations on how to best mitigate risks associated with the key change.

"This is the first root key change, but it won't be the last," said Matt Larson, Vice President of Research at ICANN and the organisation's point person for the key roll. "This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible, but as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice."