For the first time, the Internet Corporation for Assigned Names and Numbers (ICANN) is about to change the cryptographic keys that help secure the Internet's Domain Name System (DNS).
ICANN is a global non-profit organisation that is responsible for co-ordinating the maintenance and procedures of several databases related to the namespaces of the Internet, ensuring the network's stable and secure operation.
It created the current key at a secure data centre in Virginia on 16 June 2010 and ICANN has not touched it since.
The organisation plans to perform a Root Zone Domain Name System Security Extensions (DNSSEC) key signing key (KSK) rollover as required in the Root Zone KSK operator DNSSEC practice statement.
It explains that the root zone KSK consists of a private key and a public key. The private component is securely stored by ICANN, but the public component is widely distributed and configured in a large number of devices, possibly numbering in the millions. The multi-step KSK rollover process involves generating a new cryptographic key pair and then distributing the new public key, says ICANN.
"It is critical that Internet service providers (ISPs) and network operators around the world make certain they are ready for this change as failure to do so can result in their users being unable to look up domain names and thus be unable to reach any site on the Internet," says David Conrad, ICANN's chief technology officer.
"Network operators should ensure they have up-to-date software, have enabled DNSSEC, and verified their systems can update their keys automatically or they have processes in place to manually update to the new key by 16:00 UTC on 11 October 2017."
ICANN says the changing, or "rolling" of the key, is an important step in keeping the global DNS safe and secure. It is in line with commonly accepted operational practices that ensure important security infrastructure can support changing passwords if the need were to ever arise, it adds.
"We've launched a testing platform so network operators can make certain they are ready for the key roll well ahead of 11 October," says Conrad.
The testing platform can be accessed here. Internet users should contact their ISP or network operators to make certain they are ready for the key change.
ICANN has been working with technical partners such as the regional Internet registries, network operations groups, and domain name registries and registrars as well as others in the Internet ecosystem, such as the Internet Society and Internet trade associations, to make certain those around the world who may be impacted by the key roll are aware of the pending change.
ICANN CEO G"oran Marby has sent correspondence to more than 170 government officials, including regulators and participants in ICANN's government advisory committee, asking that they make certain the network operators in their respective countries are aware and ready for the key change.
Share