ICANN, which is the organization that controls the root server of the internet, is replacing the DNSSEC root key. This is the first time that the root key is replaced and it is done to ensure that the DNSSEC infrastructure has the highest level of security.
Last year, despite an enormous amount of preparation, ICANN felt there was too much uncertainty to continue the planned replacement of the DNSSEC root key at the date it was planned (11 October 2017). The planned replacement was therefore postponed in the last minute. Over the past months, ICANN, DNS-vendors, developers and many others have worked hard to get a better insight into the potential consequences of a replacement. A number of potential issues were identified, and fixed and therefore ICANN is now ready to replace the DNSSEC root key.
The organisation has announced, that the replacement will take place this Thursday October 11th 2018 at 16:00 UTC. We there bring the guide, we published last year, below.
Below you can read a Q & A about the replacement of the DNSSEC root key.
Remember to give the name server the new key
To make sure that the replacement of the DNSSEC root key will proceed without problems, all who run a recursive name server with DNSSEC validation enabled, must make sure that the name server has the new key before October 11. If the name servers do not have the new key, some ordinary users may not have access to the internet.
Who is ICANN?
ICANN stands for Internet Corporation of Assigned Names and Numbers.
ICANN is a non-profit organization that owns the company IANA (Internet Assigned Numbers Authority). IANA’s mission is to manage the root server containing all top-level domain names in the world, such as .dk, .com and .org.
What is DNS and DNSSEC?
DNSSEC is a security extension to DNS.
DNS translates domain names into the internet’s IP addresses via so-called name servers and thereby shows your computer the way to the website address, that you have typed in your browser.
If you have DNSSEC enabled on your domain name, you give your users the opportunity to make sure, that criminals have not hacked the way to your website, since it has been locked with a number of keys. In that way, DNSSEC can be a guarantee that your visitors are on the real website and not a copy, which for instance has the purpose of obtaining access to private information.
Almost 2 percent of all .dk domain names are signed with DNSSEC.
What is the root key?
The root key, also called root KSK, is the first of a number of cryptographic keys that your computer uses when it via DNS is finding the way to the websites that are using DNSSEC.
Why is the root key replaced?
First, it is best practice to replace all cryptographic keys on a regular basis, because the more a key has been used the easier it is to decode the key. Furthermore, it is also important to test the procedure and the system, in case at some point there will be an urgent need to change one or more keys. That may for instance be the case if hackers succeed with decoding one or more of those keys that are in use.
When is the root key being replaced?
The new root key is already made and was published in the root zone in July 2017. However, the old root key is still working up to and including October 10, 2018. From Ocotber 11 2018 will only the new key be working.
What shall I do?
Most users of the internet do not have to do anything.
However, if you run a recursive name server with DNSSEC validation, you must make sure that the name server has the new key before October 11, 2018. Most DNS software packages, such as Unbound and BIND, support the RFC5011 standard, which makes sure that this happens automatically. ICANN has made a test system, where you can test if your system support the automatic change. You can find it here: https://go.icann.org/KSKtest.
If the key is not being updated, please contact your software provider.
If you do not install the new key, it can ultimately mean that your customers will not have access to the internet.
I have a .dk domain name.
Shall I do anything at DK Hostmaster or at my hosting provider?