KSK Key Roll Last Call
As highlighted in our recent news item, the root zone's KSK rollover is going ahead very soon, on 11 October 2018. The rollover involves ICANN changing the DNS's master key, known as the KSK ('key-signing key'). The KSK has an important function in DNSSEC, the extension to the DNS that makes it possible to securely translate domain names into IP addresses (and vice versa). However, the existing KSK has been in use since 2010 and now needs replacing. Any resolver that doesn't install the new KSK is liable to cause problems once the rollover has gone through.
The upcoming rollover is the first ever KSK rollover in the root zone, so tech-watchers are holding their breath. Originally, the rollover was going to happen a year ago, before being postponed amidst concerns about possible hitches. Since then, confidence in a smooth changeover has risen and ICANN has decided to push ahead with this important change to the DNS.
Last year's postponement decision was taken after research revealed that many DNSSEC-enabled validating resolvers didn't appear to have installed the new KSK, meaning that they were liable to malfunction after the rollover. With the rollover process on hold, a big push was made to raise awareness amongst the relevant resolver operators. The awareness campaign sought to explain the underlying issue and how to identify and prevent potential problems.
SIDN believes that DNSSEC is very important for the security of the internet. We have therefore been working hard to draw attention to the upcoming KSK change via social media and other channels. We've also been providing information directly to our registrars, the government and other stakeholders, and working with them to ensure that everything goes smoothly.
In addition, we've been making direct contact with Dutch ISPs who operate validating resolvers (see this graph on stats.sidnlabs.nl) to remind them that the rollover is getting close and to explain how it could affect them. Using ICANN's research data, we drew up several lists of resolvers that didn't seem to be configured for the change. We then got in touch with their operators to spell out the potential problems and help fix them.
Reassuringly, we found that most knew all about the upcoming rollover and were fully prepared. Where that wasn't the case, we provided the advice and practical assistance needed to head off potential problems. And, of course, we remain available in the period ahead to answer questions relating to the rollover.
SIDN Labs' contribution
At SIDN Labs too, we've been contributing on various fronts. First, together with our research partners in the Root Canary project, we developed a tool for sharp-focus monitoring of the KSK rollover process. Once the rollover's gone through, we'll publish a blog setting out the findings of our monitoring activities. The tool is also being used for TLD-level rollovers, including those for .se (Sweden) and .br (Brazil).
We additionally carried out internal checks to make sure that our own resolvers were ready for the switch and that the automatic rollover mechanism (RFC5011) was working properly in all cases. The checks took in various internally produced software products, which were using the old KSK. One of the products in question was the DNSSEC validation monitor: the tool that's used for daily scanning of all DNSSEC-enabled .nl domain names, so that registrars can be alerted to DNSSEC errors linked to their domain name portfolios. (The aggregated output from the validation monitor is available from our stats page.)
All things considered, we're very confident that the rollover will go well. Nevertheless, we'd like to give one last piece of advice to everyone who runs one or more DNSSEC-validating resolvers. Do double-check that each of your resolvers is ready for the KSK rollover!
In particular, make sure that your AS numbers and/or IP addresses aren't on the special list that ICANN keeps. It's a continuously updated list identifying all the resolvers that are suspected of not having installed the new KSK.
Finally, mark 11 October on the calendar as a date when you need to be on the lookout for DNS problems.
Then, together, we're sure to make the first ever root zone KSK rollover a resounding success.