In a very short time, the internet will become a much more secure place.
That’s because the Board of Directors for the Internet Corporation of Assigned Names and Numbers (ICANN) has approved plans for the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) – also known as the internet’s address book.
During a meeting in Belgium on September 16, the ICANN board passed a resolution, directing the organization to proceed with its plans to change — or “roll” — the key for the DNS root on October 11 of this year. It will mark the first time the key has been changed since it was first put into use in 2010.
“This is an important move and we have an obligation to ensure that it happens in furtherance of ICANN’s mission, which is to ensure a secure, stable and resilient DNS,” says ICANN Board Chair, Cherine Chalaby.
“There is no way of completely assuring that every network operator will have their ‘resolvers’ properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone,” Chalaby went on to say.
ICANN notes that some Internet users might be affected if the network operators or Internet Service Providers (ISPs) have not prepared for the roll. Those operators who have enabled the checking of Domain Name System Security Extensions or DNSSEC information (a set of security protocols used to ensure DNS information isn’t accidentally or maliciously corrupted) are those who need to be certain they are ready for the roll.
“Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the internet’s users rely on those operators,” says David Conrad, ICANN’s Chief Technology Officer.
“It is almost certain there will be at least a few operators somewhere across the globe who won’t be prepared. But even in the worst case, all they have to do to fix the problem is turn off DNSSEC validation, install the new key, re-enable DNSSEC, and their users will again have full connectivity to the DNS.”
The changing of the DNS root key was originally scheduled to happen a year ago, but plans were put on hold after ICANN found and began analyzing some new, last-minute data. That data dealt with the potential readiness of network operators for the key roll.
Ultimately, an analysis led the organization to believe it could safely proceed with the changing of the key. As a result, the organization (after consultation with the community) developed a new plan that recommends putting the new key into use exactly one year after originally scheduled.
In the intervening time, the organization has continued extensive outreach and investigations on how to best mitigate risks associated with the key change.
“This is the first root key change, but it won’t be the last,” says Matt Larson, Vice President of Research at ICANN and the organization’s point person for the key roll.
“This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible. But as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice.”
