ICANN
Delays Changing Keys Protecting the Domain Name System
Delays Changing Keys Protecting the Domain Name System
New
data sparked decision to postpone since existing DNS Key remains secure
data sparked decision to postpone since existing DNS Key remains secure
Singapore
The Internet Corporation for Assigned Names
and Numbers (“ICANN”) today announced that the plan to change the cryptographic key that
helps protect the Domain Name System (DNS) is being postponed.
and Numbers (“ICANN”) today announced that the plan to change the cryptographic key that
helps protect the Domain Name System (DNS) is being postponed.
The changing or “rolling” of the key was originally scheduled to
occur on 11 October, but it is being
delayed because some recently obtained data shows that a significant number of
resolvers used by Internet Service Providers (ISPs) and Network Operators are
not yet ready for the Key Rollover.
occur on 11 October, but it is being
delayed because some recently obtained data shows that a significant number of
resolvers used by Internet Service Providers (ISPs) and Network Operators are
not yet ready for the Key Rollover.
There may be multiple reasons why operators do not have the new
key installed in their systems: some may not have their resolver software
properly configured and a recently discovered issue in one widely used resolver
program appears to not be automatically updating the key as it should, for
reasons that are still being explored.
key installed in their systems: some may not have their resolver software
properly configured and a recently discovered issue in one widely used resolver
program appears to not be automatically updating the key as it should, for
reasons that are still being explored.
“The security, stability and resiliency of the domain name
system is our core mission. We would rather proceed cautiously and reasonably,
than continue with the roll on the announced date of 11 October,” said ICANN CEO Göran Marby.
“It would be irresponsible to proceed with the roll after we have identified
these new issues that could adversely affect a significant number of end
users.”
system is our core mission. We would rather proceed cautiously and reasonably,
than continue with the roll on the announced date of 11 October,” said ICANN CEO Göran Marby.
“It would be irresponsible to proceed with the roll after we have identified
these new issues that could adversely affect a significant number of end
users.”
Changing the key involves generating a new cryptographic key
pair and distributing the new public component to the Domain Name System
Security Extensions (DNSSEC)-validating resolvers. Based on the estimated
number of Internet users who use DNSSEC validating resolvers, an estimated
one-in-four global Internet users, or 750 million people, could be affected by
the KSK rollover.
pair and distributing the new public component to the Domain Name System
Security Extensions (DNSSEC)-validating resolvers. Based on the estimated
number of Internet users who use DNSSEC validating resolvers, an estimated
one-in-four global Internet users, or 750 million people, could be affected by
the KSK rollover.
ICANN is reaching out to its community, Regional Internet
Registries, Network Operator Groups and others to help explore and resolve the
issues.
Registries, Network Operator Groups and others to help explore and resolve the
issues.
A new date for the Key Roll has not yet been determined. ICANN’s
Office of the Chief Technology Officer says it is tentatively hoping to
reschedule the Key Roll for the first quarter of 2018, but it will be dependent
on more fully understanding the new information and mitigating as many
potential failures as possible. In the meantime, ICANN remains confident in the
security of the current cryptographic key and by extension, the security of the
DNS.
Office of the Chief Technology Officer says it is tentatively hoping to
reschedule the Key Roll for the first quarter of 2018, but it will be dependent
on more fully understanding the new information and mitigating as many
potential failures as possible. In the meantime, ICANN remains confident in the
security of the current cryptographic key and by extension, the security of the
DNS.
ICANN will provide additional information as it becomes
available and the new Key Roll date will be announced as appropriate.
available and the new Key Roll date will be announced as appropriate.
“It’s our hope that network operators will use this additional
time period to be certain that their systems are ready for the Key Roll,” said
Marby. “Our testing platform (http://go.icann.org/KSKtest) will help operators
ensure that their resolvers are properly configured with the new key and we
will continue our engagement and communications to these operators.”
time period to be certain that their systems are ready for the Key Roll,” said
Marby. “Our testing platform (http://go.icann.org/KSKtest) will help operators
ensure that their resolvers are properly configured with the new key and we
will continue our engagement and communications to these operators.”
About DNSSEC
To easily identify resources on the Internet, the underlying
numerical addresses for these resources are represented by human readable
strings. The conversion of these strings to numbers is done by the distributed
hierarchical Domain Name System (DNS). Increased sophistication in
computing and networking since its design in 1983 have made this “phone
book” vulnerable to attacks. In response to these threats, the
international standards organization, IETF, developed DNSSEC to
cryptographically ensure DNS content cannot be modified from its
source without being detected. Once fully deployed, DNSSEC will stop
the attacker’s ability to redirect users using the DNS.
numerical addresses for these resources are represented by human readable
strings. The conversion of these strings to numbers is done by the distributed
hierarchical Domain Name System (DNS). Increased sophistication in
computing and networking since its design in 1983 have made this “phone
book” vulnerable to attacks. In response to these threats, the
international standards organization, IETF, developed DNSSEC to
cryptographically ensure DNS content cannot be modified from its
source without being detected. Once fully deployed, DNSSEC will stop
the attacker’s ability to redirect users using the DNS.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
