The Internet Corporation for Assigned Names and Numbers will this week do some important housecleaning from its successful, first-ever cryptographic key change performed last October.
In October ICANN rolled out a new, more secure root zone Key Signing Key -2017 (KSK-2017) but the process wasn’t complete as the old key, KSK-2010 remained in the zone. On January 10 ICANN will revoke the old key and remove it from the root zone. The KSK helps protect the internet’s address book – the Domain Name System (DNS) and overall Internet security.
“The ICANN organization does not expect problems with the revocation,” wrote Paul Hoffman, Principal Technologist with ICANN in a blog about the revocation activity.
"However, this is the first time a KSK in the Domain Name System (DNS) root has been revoked, so the ICANN org and the DNS technical community will be watching carefully for at least 48 hours after the publication of the revoked KSK-2010.”
Hoffman wrote: “Before we remove KSK-2010 from the zone altogether, we want to mark that key as revoked for all the resolvers that follow the ‘Automated Updates of DNSSEC Trust Anchors’ standard (RFC 5011). By marking the old key as revoked, any system that uses RFC 5011 will see that KSK-2010 is no longer valid and will not trust that key in the future. The revocation mark will be visible until 22 March 2019, at which point KSK-2010 will be completely removed from the root zone forever.”
ICANN encourages vendors to no longer ship KSK-2010 in their products. Similarly, anyone who is maintaining their list of DNS root trust anchors by hand should remove KSK-2010 from their configurations, Hoffman wrote.
The change is central to ICANN’s project to upgrade the top pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol — also known as the root zone Key Signing Key or just KSK — which secures the internet's foundational servers.
ICANN in the past has noted that due to the lack of significant deployment of Domain Name System Security Extensions (DNSSEC validation), responses from the Root Server System remain at risk from integrity attacks.
Similarly, as a result of DNS messages assumed to be sent unencrypted, the users of the Root Server System are subject to confidentiality attacks. While these attacks are not necessarily new, the ever-increasing reliance on DNS and hence, the Root Server System, suggests a new strategy is needed to reduce the effect of these attacks, ICANN stated.
Last October’s KSK rollover, which went off smoothly, involved generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses.
Resolvers include internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers, system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.
ICANN said it will report any significant issues with this week’s changes here.
Thanks to Michael Cooney (see source)