ICANN sets plan to reinforce internet DNS security

Spread the love

In a few months, the internet will be a more secure place. 

That’s because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet’s address book – the Domain Name System (DNS). 

The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or “roll” the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010.

During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of  Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated. 

“Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak,” ICANN stated. 

The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. 

Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root’s “trust anchor,” ICANN said.  

ICANN noted that due to the lack of significant deployment of Domain Name System Security Extensions (DNSSEC validation), responses from the Root Server System remains at risk from integrity attacks.

Similarly, as a result of DNS messages assumed to be sent unencrypted, the users of the Root Server System (i.e., resolvers) are subject to confidentiality attacks. While these attacks are not necessarily new, the ever-increasing reliance on DNS and hence, the Root Server System, suggests a new strategy is needed to reduce the effect of these attacks, ICANN stated.

ICANN said it expects minimal user impact from the rollover but a small percentage of internet users could see problems in resolving domain names, which means they will have problems reaching their online destination.

For enterprise users, the move should have little impact. First of all, ICANN said more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Enterprises should have already updated their software to do automatic key rollovers (“RFC 5011” rollovers) or manually installed the new key by now.  

“There is no way of completely assuring that every network operator will have their ‘resolvers’ properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone,” ICANN Board Chair Cherine Chalaby said in a statement. 

Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the internet’s users rely on those operators, said David Conrad, ICANN’s chief technology officer.

“It is almost certain there will be at least a few operators somewhere across the globe who won’t be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS,” he said.

The Root KSK Rollover from the 2010 KSK to the 2017 KSK version was supposed to take place almost a year ago but was delayed until Oct. 11 of this year because of potential Internet connectivity disruption concerns.

But ICANN said that after consulting with the community, they developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. The organization has continued outreach and investigations on how to best mitigate risks associated with the key change.

“This is the first root key change, but it won’t be the last,” said Matt Larson, vice president of research at ICANN and the organization’s point person for the key roll. “This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible, but as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice.”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Source link

More from my site

  • What to expect when the internet gets a big security upgradeWhat to expect when the internet gets a big security upgrade Ready or not, the upgrade to an important internet security operation may soon be launched. Then again, it might not. The Internet Corporation for Assigned Names and Numbers (ICANN) will […]
  • What programming languages rule the Internet of Things?What programming languages rule the Internet of Things? As the Internet of Things (IoT) continues to evolve, it can be difficult to track which tools are most popular for different purposes. Similarly, trying to keep tabs on the […]
  • McAfee Internet Security – Review 2018McAfee Internet Security – Review 2018 McAfee packs an amazing number of useful features into its standalone antivirus product. This year's edition adds ransomware protection and a PC speed booster. You might think there's […]
  • AVG Internet Security – UnlimitedAVG Internet Security – Unlimited You can install AVG Internet Security - Unlimited on as many PCs as you like, defending them with AVG's powerful antivirus plus protection against ransomware, webcam peepers, and more. Source link
  • Center for Internet Security releases Microsoft 365 benchmarksCenter for Internet Security releases Microsoft 365 benchmarks The Center for Internet Security (CIS) is a non-profit organization that puts forth security benchmarks and checklists. Recently as noted in the Microsoft Secure blog, CIS released its […]
  • Total Defense Ultimate Internet SecurityTotal Defense Ultimate Internet Security Total Defense Ultimate Internet Security offers excellent protection for macOS and Android devices, both licensed from Bitdefender, along with less impressive protection for Windows. Source link
  • F-Secure Internet Security – PCMag IndiaF-Secure Internet Security – PCMag India 7Secure Site Blocked In testing, we couldn't find any sites in blocked categories that slipped past the content filter. It blocked a […]
  • G Data Internet SecurityG Data Internet Security G Data Internet Security has all the components you expect in a suite, plus backup. However, the quality of those parts is uneven, and has improved little since our last review. Source link
  • Avast Internet SecurityAvast Internet Security Avast Internet Security is a full-scale suite, with an antivirus, a robust firewall, a simple spam filter, and a wealth of bonus features. Depending upon your needs, though, the company's […]
  • How to use the Shodan search engine to secure an enterprise’s internet presenceHow to use the Shodan search engine to secure an enterprise’s internet presence CSO Online | Oct 18, 2018 Shodan, a search engine for all ports within the internet, can help enterprises identify and lock down security vulnerabilities. Senior writer J.M. […]