A New Security Key for the Internet
31/10/2018
For the first time in history, the root zone key is being rolled over, a global challenge considering of the size of the network. The DNS root KSK rollover process began on 11 October 2018, when the new Domain Name System Security Extensions (DNSSEC) key was first used.
The process is expected to be completed in March 2019, when the previous key will be deleted from the ICANN key management facilities. By then, every Internet operator should have replaced the old password with the new one.
Currently, 750 million people are using DNSSEC validation resolvers which could be affected by the key rollover. If those systems are not updated with the new key, end users will not be able to access the Internet.
Carlos Martínez, LACNIC CTO and one of the representatives of the numbers community who participated in the process for the generation of the new root zone KSK, told us that this change will take place in what remains of 2018 and early 2019, with the process being scheduled so as to avoid any impact to Internet operators.
What is the Internet root zone and why is it important?
Think of the DNS root zone as a file that contains information about where top-level domain (TLD) servers can be found. TLDs are top-level domain names, such as “.com”, “.net”, “.org”, “.uy”, “.ar” and others used for the rest of the countries.
The root zone is particularly important for the proper functioning of the Internet, as we rely on it to find the names of the websites we wish to access, such as “www.lacnic.net” or “www.riu.edu.ar.” The root zone tells us how to find “.net” or “.ar” in each case.
Why was the DNSSEC protocol created and what is it used for?
DNSSEC is a set of Domain Name System (DNS) extensions that allow us to protect the content of the DNS zones (“domains”) and keep them from being maliciously altered. This is achieved by introducing digital signatures and cryptographic keys in the domains themselves.
When accessing a website, a user can verify that the name (“www.lacnic.net”) has been properly signed.
We can think of this as a complement to the padlock icon displayed by browsers, one specifically applied to name resolution.
What are the cryptographic keys used in the DNSSEC protocol?
A key, or more precisely a “pair of keys,” is a pair of one public and one private number which, in the case of DNSSEC, through the use of encryption algorithms, allows the generation of digital signatures that can be verified by other users.
Cryptographic keys are very long numbers (hundreds of digits) which, through cryptographic algorithms, allow generating digital signatures that can be used to verify the integrity of a domain name.
Why are these cryptographic keys important?
Because they allow verifying the integrity of the information provided by the DNS. Indeed, the longer the key (the more digits it has) the more secure it is.
Keys allow verifying signatures and therefore knowing whether a name has been maliciously altered.
How do these keys affect Internet end users?
End users have no direct contact with these keys. These keys, however, are used by the DNS servers that offer services to end users.
Known as recursive servers, these servers validate digital signatures and, if they find that a name has been altered (if the signature is incorrect), notify the end user that there is a problem with the name’s resolution. This helps users avoid websites that have been tampered with.
Why is the root zone signature important?
The root zone signature is special because of its critical importance in Internet name resolution. If there were to be a problem with this signature, Internet services might be widely affected.
This is why the root zone is signed following a series of very clearly defined procedures, in a highly controlled environment, and witnessed by community representatives.
Who holds this file or root zone keys?
The IANA, or what is now known as the PTI, controls the edition of the root zone file.
However, the authority to introduce changes to this file is governed by a more complex process which, for example, distinguishes country code TLDs (.uy,.ar, etc.) from generic TLDs (.com, .black, .info, .net).
Is this the first time these keys will be changed?
Yes. This will be the first time the Root Zone Key Signing Key (KSK) is changed since it was initially generated in 2010.
Who manages the keys?
The keys are stored in special physical devices known as hardware security modules (HSMs), which are kept under custody at two secure locations. ICANN manages these locations, known as key management facilities (KMFs), as well as the corresponding equipment.
Are these keys vulnerable?
The keys themselves are simply numbers. They are only valuable because they are kept secret. This is why the keys never leave their HSMs and the HSMs generate the signatures directly, without ever revealing the private key itself.
In other words, no one has even seen the private key. It is there, yet we never see it.
How are the keys changed and who decides to change them?
The decision to change the keys is based on industry best practices, which recommend periodic key rollovers.
The decision on when to perform these rollovers depends on multiple factors. In this particular case, the decision to rollover the root zone keys was made in 2015. However, given the complexity and potential for negative impacts, a series of preliminary studies were conducted to make sure that these effects would be kept to a minimum.
What does the process involve?
The process began by generating and publishing the new key. We are now entering a period of verification and communication to the public.
Who needs to take action at this stage?
Every organization using DNSSEC-validating resolvers, particularly those performing DNSSEC validation (and, if they aren’t, they should be!) must keep up with the changes as they occur.
If they are using recent versions of DNS software, no action will probably be required. If they are using older versions of the software, some devices may require manual intervention.
Is there any chance that problems will occur during the rollover?
There is always the chance that something might go wrong, as there is no such thing as 100% perfection. Some organizations will likely have to correct certain situations, but we trust that the process will move forward without major issues.
What are the milestones in this KSK rollover?
The milestones are included in the timeline published by the IANA/PTI. They can be found here.
Click here to watch the presentation by Hugo Salgado and Mauricio Vergara on this topic at LACNIC 30 LACNOG
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.