A new security key for the Internet
31/07/2017
For the first time in history, the root zone key is being rolled over, a global challenge considering of the size of the network. This process kicked off on July 11, when the new Domain Name System Security Extensions (DNSSEC) key generated in October last year was published and will take a year to complete.
The rollover process is expected to be completed in August 2018, when ICANN will remove the previous key from the equipment it uses to manage keys in its facilities. By then, every Internet operator should have replaced their old password with the new one.
Currently, 750 million people are using DNSSEC validation resolvers which could be affected by the key rollover. If those systems are not updated with the new key, end users will not be able to access the Internet.
Carlos Martínez, LACNIC CTO and one of the persons responsible for generating the new global root zone key on behalf of the community, told us that this change will take place in 2017 and that it will be scheduled to avoid any impact for Internet operators.
What is the Internet root zone and why is it important?
Think of the DNS root zone as a file that contains information about where top-level domain (TLD) servers can be found. TLDs are top-level domain names, such as “com”, “net”, “org”, “uy”, “ar” and those for the rest of the countries.
The root zone is particularly important for the proper functioning of the Internet, as we rely on it to find the names of the websites we wish to access, such as “www.lacnic.net” or “www.riu.edu.ar.” The root zone tells us how to find “net” or “ar” in each case.
Why was the DNSSEC protocol created and what is it used for?
DNSSEC is a set of Domain Name System (DNS) extensions that allow us to protect the contents of the DNS zones (“domains“) and keep them from being maliciously altered. This is achieved by introducing digital signatures and cryptographic keys in the domains themselves.
When accessing a website, a user can verify that the name (“www.lacnic.net“) has been properly signed. We can think of it as a complement to the padlock icon displayed by browsers, but specifically applied to name resolution.
What are the cryptographic keys used in the DNSSEC protocol?
A key – more precisely a “pair of keys” – is a pair of one public and one private number which, in the case of DNSSEC, through the use of encryption algorithms, allows the generation of digital signatures that can be verified by other users.
Cryptographic keys are very long numbers (hundreds of digits) which, through mathematical operations defined in cryptographic algorithms, allow generating digital signatures that can be used to verify the integrity of a domain name.
Why are these cryptographic keys important?
Because they allow verifying the integrity of the information provided by the DNS. What is more, the longer the key (the more digits it has) the more secure it is.
Keys allow verifying the signatures and thus knowing whether a name has been maliciously altered or not.
How do these keys affect Internet end users?
End users have no direct contact with these keys, but they are used by the DNS servers that offer services to end users.
Known as recursive servers, these servers validate digital signatures and, if they find that a name has been altered (if the signature is incorrect), notify the end user that there is a problem with the name’s resolution. This helps users avoid websites that have been tampered with.
What is the “root zone signature“ like?
The root zone’s signature is a special case because of its critical importance in Internet name resolution. If there were to be a problem with this signature, Internet services might be widely affected.
This is why the root zone is signed following a series of very clearly defined procedures, in a highly controlled environment, and witnessed by community representatives.
Who holds this file or root zone keys?
The IANA – or what we now know as the PTI – controls the edition of the root zone file.
However, the authority to introduce changes to this file is governed by a more complex process which, for example, distinguishes country code TLDs (.uy,.ar, etc.) from generic TLDs (.com, .black, .info, .net).
Is this the first time these keys will be changed?
Yes. This will be the first time the Root Zone Key Signing Key (KSK) has been changed since it was initially generated in 2010
Who manages the keys?
The keys are stored in physical devices called hardware security modules (HSMs), which in turn are kept at two secure locations. ICANN manages these locations, known as key management facilities (KMFs).
Are these keys vulnerable?
The keys themselves are simply numbers. They are only valuable because they are kept secret. This is why keys never leave their HSMs and the HSMs generate the signatures directly, without ever revealing the private key itself.
In other words, no one has even seen the private key. It is there, yet we never see it.
How are the keys changed and who decides to change them?
The decision to change the keys is based on industry best practices, which recommend periodic key “rollovers.”
The decision on when to perform these rollovers depends on multiple factors. In this specific case, the need to rollover the root zone keys was made in 2015. However, given the complexity and potential for a negative impact, a series of preliminary studies were conducted to make sure that these effects would be kept to a minimum.
What can you tell us about the process that has already been initiated?
The process began by generating and publishing the new key. We are now entering a period of verification and communication to the public.
Who needs to take action at this stage?
Every organization using DNSSEC-validating resolvers, particularly those performing DNSSEC validation (and, if they aren’t, they should be!) must keep up with the changes as they occur.
If they are using recent versions of DNS software, no action will probably be required. If they are using older versions of the software, some devices may require manual intervention.
Is there any chance that problems will occur during the rollover process?
There is always the possibility that a problem might occur. Nothing is 100% perfect. Some organizations will likely have to correct certain situations, but we trust that the process will be carried forward without major issues.
What are the important dates in this KSK rollover?
The important dates are those published by the IANA/PTI:
http://www.lacnic.net/en/web/lacnic/key-signing-key
Watch the video: