New DNSSEC key: is the world ready?

The second day of the ENOG 15 conference saw many interesting reports on the latest developments in internet technology, the upcoming new security protocols, new ways to tighten internet security, and much else.

The IT community also wanted to know when the keys in the DNSSEC core zone will be changed: a question left hanging. Edward Lewis (ICANN) analyzed the reasons in his report “Current state of the root zone DNSSEC key roll.” The new key, KSK 2017, should have replaced KSK 2010 last year, but it didn’t happen. It turned out that the replacement and RSR 2010 cessation would lead to a quarter of all users worldwide, or 750 million people, not being able to access the internet via domain names or to use email.

According to the ICANN site, there are many reasons why operators have not deployed the new key yet. Some have the wrong resolver software configuration; in addition, another problem has been discovered recently: a popular resolver program does not update the key automatically as it was supposed to do.

Edward Lewis talked about a study that resulted in an entirely different picture from what ICANN wanted to see. Today, it puts its efforts into helping operators tune their resolvers for a new key and test them with the ICANN testing platform. “Is the world ready for the new DNSSEC key?” Edward Lewis asked rhetorically, adding that the old KSK 2010 key will be deleted eventually.

During a recent meeting, the ICANN technical director with the MSK-IX management discussed the need to replace the KSK key roll used in DNSSEC extensions. A year ago, MSK-IX published its recommendations for owners of DNS-resolvers to update the KSK rollover used in DNSSEC extensions and turned on all the necessary parameters for the automatic KSK rotation in the DNS core one. KSK rollover will be included in the MSK-IX resolvers’ trusted list according to the RFC 5011 rules. The upgrade is needed for the DNSSEC extensions that protect DNS data from replacement to continue normal work.