Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Organizations Reminded of DNSSEC Key Signing Key Rollover

Organizations are being reminded that the Internet Corporation for Assigned Names and Numbers (ICANN) will soon change the root zone key signing key for the Domain Name System Security Extensions (DNSSEC) protocol. Failure to take action could result in users being unable to access the Internet.

Organizations are being reminded that the Internet Corporation for Assigned Names and Numbers (ICANN) will soon change the root zone key signing key for the Domain Name System Security Extensions (DNSSEC) protocol. Failure to take action could result in users being unable to access the Internet.

DNS, the system that translates domain names to IP addresses, was not designed with security in mind. In an effort to prevent users from being directed to malicious websites via DNS spoofing attacks, the DNSSEC protocol was introduced in 2010.

DNSSEC aims to prevent attacks by cryptographically signing DNS information, including the root zone, which is the highest level of the DNS structure. If DNSSEC is used, the root zone vouches for the public key of the .com zone (or other TLD zone), which in turn vouches for all .com domains. Since the root zone is at the top of the DNS hierarchy, there is no higher level to vouch for it so its zone key is configured as a so-called “trust anchor,” a key that is declared trustworthy.DNSSEC KSK rollover

The trust anchor key is called a key signing key (KSK), and all recursive name servers performing DNSSEC validation need to have the root zone’s KSK set as a trust anchor. These name server are typically operated by Internet service providers (ISPs) and enterprises, and if the KSK is not configured properly, DNS resolution will no longer work for their users.

Since keeping a cryptographic key alive for a long period of time is considered a bad security practice given the fact that it could get compromised, ICANN plans to periodically change, or roll, the KSK.

A new KSK was generated in October 2016 and it will be used to sign the root zone key set on October 11, 2017. Until this date, all DNSSEC-validating resolvers need to be configured with the new root KSK.

On January 11, 2018, the old KSK will be revoked and March 22, 2018 is the last day on which the old KSK will appear in the root zone. In August 2018, the old key will be deleted from equipment in ICANN’s two key management facilities.

ICANN estimates that roughly 750 million people worldwide use DNSSEC validation and are affected by the KSK rollover so it’s important that stakeholders take action to prevent service disruptions.

In the case of software that supports automated updates of DNSSEC trust anchors, the root zone KSK will be updated automatically at the appropriate time and no action needs to be taken. However, in the case of software that does not support automated updates, DNSSEC trust anchors need to be manually updated. The developers of BIND, the most widely deployed DNS software, have provided instructions for users.

Organizations not using DNSSEC are not impacted, but use of the protocol is recommended for security reasons.

US-CERT has reminded organizations about the October 11 root zone KSK change and advised them to update their key before this date, particularly federal agencies, which, unlike private sector companies, are required to use DNSSEC.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...