Ready or not, the upgrade to an important internet security operation may soon be launched. Then again, it might not.
The Internet Corporation for Assigned Names and Numbers (ICANN) will meet the week of Sept. 17 and will likely decide whether or not to give the go ahead on its multi-year project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — commonly known as the root zone key signing key (KSK) — which secures the Internet’s foundational servers.
Changing these keys and making them stronger is an essential security step, in much the same way that regularly changing passwords is considered a practical habit by any Internet user, ICANN says. The update will help prevent certain nefarious activities such as attackers taking control of a session and directing users to a site that for example might steal their personal information.
This Root KSK rollover from the 2010 KSK to the 2017 KSK was supposed to take place almost a year ago but was delayed until Oct. 11 of this year because of concerns it might disrupt internet connectivity to significant numbers of web users.
The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts website names like networkworld.com into numerical IP addresses.
Internet Service Providers provide this service as do enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root’s “trust anchor,” ICANN states.
ICANN says it expects minimal user impact from the root KSK, but a small percentage of Internet users could face problems resolving domain names into IP addresses — which means problems reaching their online destinations.
The issue isn’t widespread, but is still a concern.“There are currently a small number of Domain Name System Security Extensions (DNSSEC) validating recursive resolvers that are misconfigured, and some of the users relying upon these resolvers may experience problems,” ICANN wrote in a recent release. Recursive resolvers receive DNS resolution request and find the DNS server that can fulfill them.
Verisign recently wrote that earlier this year it began contacting operators of recursive servers that, when they reported only the old trust anchor. However, in many cases, a responsible party could not be identified, due in large part to dynamic addressing of ISP subscribers. Also, late last year, ICANN began receiving trust anchor signaling data from more root server operators, as well as data from more recursive name servers as the recursive name servers updated to software versions that provided these signals. As of now, percentages are relatively stable at roughly 7 percent of reporters still signaling the 2010 trust anchor, Verisign wrote.
So, what should enterprises and others expect from the rollover, should it occur? First of all, ICANN says users who rely on a resolver that has the new KSK and users who rely on a resolver that does not perform DNSSEC validation won’t see any impact. Data analysis suggests that more than 99 percent of users whose resolvers are validating will be unaffected by the KSK rollover, ICANN says.
As for enterprises, they should have already updated their software to do automatic key rollovers (sometimes called “RFC 5011” rollovers) or manually installed the new key by now. If they haven’t turned on automatic updates, they must do so before Sept. 10, or the update mechanism won’t have kicked in correctly in time for the rollover, Pau