The October deadline for changing the root zone key signing key (KSK) for the Domain Name System Security Extensions (DNSSec) is fast approaching. Enterprises that operate their own recursive name servers and use DNSSec validation to protect their domains must make sure systems have been updated with the new signing keys or risk having users unable to access portions of the Internet.
The Internet Corporation for Assigned Names and Numbers (ICANN) will start using the new root zone key signing key generated late last year to sign domains starting Oct. 11. Internet service providers (ISP), enterprise network operators, hardware manufacturers, and application developers performing DNSSEC validation need to update their systems with the public part of the key pair by the deadline. If the systems aren’t updated with the new public key, when the old key is finally revoked in 2018, DNSSEC validations will fail and cause DNS to break.
“Those who suffer will be those whose recursive name server operators performing DNSSec validation but which have not correctly received, stored, and configured the new key during its pre-publication period,” said internet security pioneer Paul Vixie, currently the CEO and founder of Farsight Security.
DNSSEC’s ultimate root key
The Domain Name System (DNS) acts as the internet’s phone book, translating IP addresses to easy-to-remember domain names. However, the distributed nature of DNS makes the system vulnerable to hijacking as users get diverted to fraudulent sites through DNS cache poisoning or DNS spoofing. The DNSSEC protocol, introduced in 2010, thwarts hijacking by using cryptographic key pairs to verify and authenticate the results of a DNS lookup. If the DNS response has been tampered with, the keys don’t match and the browser returns an error instead of sending users to the incorrect destination.
DNSSEC works as a hierarchy with different bodies responsible for each layer and signing the key of the entities in the layer below. The key signing key is a cryptographic public-private key pair, and the root zone KSK secures the topmost layer of the hierarchy, the starting point for DNSSEC validation.
There is nothing wrong with the key—it hasn’t been stolen or tampered with—but it is good security practice to periodically rotate the signing key so that even if it falls into the wrong hands, everyone is already using the newer, stronger key. There is no reason to wait for something bad to happen—for the key to be cracked, for example—before updating to a newer, stronger, key.
“Updating the DNSSEC KSK is a crucial security step, similar to updating a PKI Root Certificate,” the United States Computer Emergency Response Team (US-CERT) wrote in a recent advisory. “Maintaining an up-to-date Root KSK as a trust anchor is essential to ensuring DNSSEC-validating DNS resolvers continue to function after the rollover.”
Sign up for Computerworld eNewsletters.