Akamai Diversity
Home > DNS > Keeping up with DNSSEC

Keeping up with DNSSEC

DNS was first conceived in 1983, back when one of the most memorable movie quotes of all time was popularized: "Go ahead, make my day" (Clint Eastwood in "Sudden Impact"). The internet as we know it today did not yet exist; however, ARPANET, its predecessor network, was the exclusive domain of a small group of academics and researchers, so no one gave much thought to security. A lot has changed.

DNS security became a highly visible issue in the summer of 2008 when Dan Kaminsky disclosed an especially effective attack that received worldwide attention. (Who would have thought DNS would be discussed on mainstream news programs?) DNSSEC had been around for a few years but not widely deployed. Everyone suddenly realized better authentication and data integrity features were needed to protect the DNS.

DNSSEC gained momentum as network operators and domain owners watched and learned from each other. In July 2010, the root zone was signed with DNSSEC. This was a pivotal moment because now the "chain of trust" could be maintained all the way to the top of the DNS hierarchy. No one could make excuses about obvious shortcomings in the deployment.

In May 2016, ICANN announced their intent to roll over the root zone Key Signing Key (KSK) used to establish the "chain-of-trust" required for validation. This is a "best practice" to ensure the integrity of the key. It's also another pivotal moment that requires attention from anyone who operates a validating resolver. ICANN has since executed on a detailed key rollover plan, and on October 11th, they'll start to use the new KSK for signing.

Maintaining an up-to-date root key is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Updating the key is not especially difficult; RFC 5011 was written years ago to automate the process and eliminate the operational burden associated with key rollover maintenance. Most systems can also be updated manually, but it requires more effort and introduces the possibility of errors, which can be especially devastating for root key updates since the entire DNS tree is impacted. ICANN has also created a web page that can be used to test whether your keys are updated and working properly (the link is below).

To learn more about DNSSEC and the key rollover, Nominum, now part of Akamai, recently hosted an educational webinar, which can be found here. The webinar also provides Nominum customers that are doing DNSSEC validation with additional information to ensure their validating resolvers continue to operate smoothly. RFC 5011 is supported in CacheServe and there are commands to update the key manually although automated updates are the preferred approach.

ICANN also posted numerous documents covering their key rollover plans and providing guidance for the community:
https://www.icann.org/resources/pages/ksk-rollover
https://go.icann.org/KSKtest
https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf
https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-03apr17-en.pdf

Leave a comment