Rotating cryptographic keys is a security best practice, so it's good news that ICANN has begun the process to change the root key pair underpinning the security of the DNS. While the chances of a misstep is small, the fact remains that changing the root key pair has never been done before. A mistake can potentially -- temporarily -- break the Internet.
No pressure, ICANN.
As the phone book of the Internet, DNS translates easy-to-remember domain names into IP addresses so that users don't have to remember strings of numbers in order to access web applications and services. However, attackers can hijack legitimate DNS requests to divert users to fraudulent sites through DNS cache poisoning or DNS spoofing.
DNSSec solves the problem by using cryptographic key pairs to verify and authenticate the results of a DNS lookup to prevent these man-in-the-middle attacks. If the DNS response has been tampered with and the keys don't match, the browser returns an error instead of directing the user to the incorrect destination.
"ICANN is planning to roll, or change, the 'top' pair of cryptographic keys used in the DNSSEC protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010," ICANN said earlier this year.
DNSSEC currently relies on the original 1,024-bit RSA key generated in 2010 for its root zone key. Six years is a long time to keep using the same signing key, regardless of how carefully it has been stored and protected. The landscape has also changed in the years since, as the 1,024-bit RSA keys are no longer considered secure enough for the modern web. With increased computing power, the chances of someone cracking the 1,024-bit key increases. It's about time the root zone key signing key got updated to the stronger 2,048-bit key.
"If a key is old, it can be cracked. You don't want to wait for that to happen before resetting the key," says internet security pioneer Paul Vixie, currently the CEO and founder of Farsight Security. The rollover is "good cryptographic hygiene," he says.
Changing the signing key doesn't mean there has been a compromise. It's a proactive measure to ensure that if the keys ever fall in wrong hands, the system remains secure because everyone has moved to a newer, stronger, key.
"We are exercising the software in a way that's never been done before," Vixie says, noting it's better to have the rollover when there isn't a crisis, rather than rushing because of a compromise and the security of the entire DNS is at stake.
Top to bottom
DNSSec works as a hierarchy, with different bodies responsible for each layer and signing the key of the entities in the layer below. Individual domain owners get their keys signed from the operator of the top-level domain. For example, owners with .com domains obtain the public key from VeriSign, which administers the .com top-level domain. Every hierarchy has a topmost layer, and for DNS, that's the DNS root zone, and someone has to manage the ultimate key. The Root Zone Key Signing Key is managed by ICANN in conjunction with 12 other partners.
Sign up for CIO Asia eNewsletters.