The Internet Corporation for Assigned Names and Numbers (ICANN) announced this week that the replacement of the root zone key signing key (KSK) for the Domain Name System Security Extensions (DNSSEC) protocol has been postponed by at least one quarter due to the failure of some network operators to install the new key.
ICANN estimates that roughly 750 million people worldwide are affected by the KSK rollover. The change of the key was initially planned for October 11, but ICANN has recently learned that many network operators and Internet service providers (ISPs) are not prepared, which would lead to tens of millions of users going offline.
Data provided by a recently added DNS protocol feature has allowed ICANN to see how many DNSSEC-validating resolvers have been configured with the new root KSK. The data shows that roughly 6-8% of these systems still use the KSK from 2010, the year when the DNSSEC protocol was introduced.
This means that as many as 60 million users may have been kicked off the Internet had ICANN decided to stick to the original date of October 11.
“Throughout the project we have emphasized that the root KSK is being rolled under normal operational conditions and have proceeded cautiously and without haste,” explained Matt Larson, VP of Research at ICANN’s Office of the CTO. “The decision to postpone was taken in that spirit of caution because there is no operational pressure to proceed given our continued confidence in the security of KSK-2010.”
While some network operators may need to manually configure the new KSK and they have failed to do so, ICANN believes some organizations may not know they are unprepared for the key rollover. These organizations configured their systems to automatically update the key, but the process failed due to software defects, operator errors or some other cause.
A new date has not been set for the key rollover, but ICANN has decided to delay it for at least one quarter.
DNSSEC and the KSK rollover
Since DNS, the system that translates domain names to IP addresses, was not designed with security in mind, the DNSSEC protocol was introduced to prevent users from being directed to malicious websites via DNS spoofing attacks.
DNSSEC aims to achieve this by cryptographically signing DNS information, including the root zone, which is the highest level of the DNS structure. If DNSSEC is used, the root zone vouches for the public key of the .com zone (or other TLD zone), which in turn vouches for all .com domains. Since the root zone is at the top of the DNS hierarchy, there is no higher level to vouch for it so its zone key is configured as a “trust anchor,” a key that is declared trustworthy.
The trust anchor key is called a key signing key (KSK), and all recursive name servers performing DNSSEC validation need to have the root zone’s KSK set as a trust anchor. These name server are typically operated by Internet service providers (ISPs) and enterprises, and if the KSK is not configured properly, DNS resolution will not work for their users.
Since it could get compromised, ICANN plans to periodically change, or roll, the KSK. A new KSK was generated in October 2016 and the plan was to have it replace the original key by October 11. According to the initial schedule, the old KSK would have been revoked on January 11, 2018.