Ultimately, this rollover is a very sensitive process because the key signing key is the master key.
"DNSSec works by forming a chain of trust between the root (i.e., the aforementioned trust anchor) and a leaf node. If every node between the root and the leaf is properly signed, the leaf data is validated. However, as is generally the case with digital (and even physical) security, the chain is only as strong as its weakest link," VeriSign said in a recent blog post outlining its plans to update its zone signing keys.
ICANN and volunteers from the global technical community have spent the last five years developing a multistep plan for the rollover. The first step, scheduled for this month, is to generate the new key signing key, then to distribute it so that ISPs, enterprise network operators, hardware manufacturers, and others performing DNSSec validation can update their systems with the public part of the key pair. The key pair will be generated in a hypersecure key management facility in the United States, and ICANN will securely store the private half of the key.
The public half of the key pair will be widely distributed to all the servers and devices relying on the DNSSec. The new key signing key will be available on the Internet Assigned Numbers Authority website in February 2017, and it will appear in the DNS for the first time on July 11, 2017. If the systems aren't updated with the new public key, DNS will eventually break, and users will be unable to access portions of the internet. To make sure the operators have ample time to update their systems, the new keys won't be used to sign domains until October 2017.
DNSSec will support both the old key signing key and the newly generated one until January 2018, when the old one is scheduled to be revoked. The secure destruction of the old key is set for March 2018.
"Having both keys together lets ICANN work out any issues," Vixie says, noting that he doesn't expect there to be any problems. "The teams involved have thought carefully about this."
Spread the word
The hardest part of the rollover is getting the word out to the developers, administrators, and operators involved with DNSSec to be prepared to handle the update manually. Most of the organizations have been monitoring the upcoming change, and most systems are configured to obtain the new key once it's available. However, there is always the risk of older hardware that's not being actively maintained and won't receive the new public key on time, which can impact users relying on that equipment.
Sign up for CIO Asia eNewsletters.