The Internet Corporation for Assigned Names and Numbers is moving -- carefully -- to upgrade the DNS root zone key by which all domains can be authenticated under the DNS Security Extensions protocol.
ICANN is the organization responsible for managing the Domain Name System, and DNS Security Extensions (DNSSEC) authenticates DNS responses, preventing man-in-the-middle attacks in which the attacker hijacks legitimate domain resolution requests and replaces them with fraudulent domain addresses.
DNSSEC still relies on the original DNS root zone key generated in 2010. That original 2048-bit RSA key is scheduled to be replaced with a new 2048-bit RSA key next October. Although experts are split over the effectiveness of DNSSEC, the update of the current root zone key signing key (KSK) is long overdue.
"ICANN is planning to roll, or change, the 'top' pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK. This will be the first time the KSK has been changed since it was initially generated in 2010," ICANN wrote earlier this year. "Changing these DNSSEC keys is an important security step, in much the same way that regularly changing passwords is considered a prudent practice by any internet user."
ICANN will securely store the private key component of the KSK, while the public key is intended to be widely distributed and configured "in a large number of devices, possibly numbering in the millions. The multistep KSK rollover process basically involves generating a new cryptographic key pair and then distributing the new public key," ICANN wrote. "Internet service providers, enterprise network operators and others performing DNSSEC validation must ensure their systems are updated with the public part of the new KSK in order to assure trouble-free internet access for their users."
The process of updating the root zone KSK began in December 2014 when ICANN asked for volunteers from the global technical community to participate in the development of the Root Zone KSK Rollover Plan; the first step in the plan is scheduled for October, when the new KSK will be generated. Other important dates in the rollover schedule include publication of the new KSK on the Internet Assigned Numbers Authority (IANA) website in February, 2017 and publication of the new KSK in DNS, set for July 2017. The actual rollover event, which will occur when the new KSK is first used to sign domains is scheduled for October 2017, followed by revocation of the old KSK (January 2018) and the secure destruction of the old KSK, set for March 2018.
How effective is DNSSEC?
One of the sticking points in moving to support DNSSEC is the question of effectiveness -- and the question of how to increase acceptance of the protocol, which is also seen as key to effectiveness. According to ICANN's best guess, approximately 750 million, or one in four internet users, are using DNSSEC validating DNS resolvers. However, the actual impact DNSSEC is making is difficult to say.
"DNSSEC was created to help protect against individuals changing DNS data during transit in order to hijack connections," said Ryan Linn, director of advanced threats and countermeasures and director of security North America, at Nuix, a cybersecurity firm based in Sydney, Australia. "In theory, this was a great idea, unfortunately in practice it has been a mess. Implementation isn't trivial, and with the basic implementation it may make an organization arguably less secure as data may be exposed that would not normally be offered."
Linn pointed out that strategies to limit the data exposure "add even more complexity and aren't universally supported. DNSSEC may also make a target more interesting for being abused as part of a DDoS attack as the responses are much larger than typical responses, meaning using one of these systems as part of an attack will generate more traffic than someone who doesn't have DNSSEC implemented."
Bobby Kuzma, system engineer at vulnerability management vendor Core Security, said DNSSEC has potential but questioned its viability. "DNSSEC is an effective solution to a number of problems, including site forgery, man-in-the-middle attacks on web properties, and even email spoofing but its lack of support for deployment has rendered it somewhat irrelevant," Kuzma told SearchSecurity, though he warned "its enforcement as a standard required potentially breaking changes, and many domains still do not carry the necessary information for DNSSEC to be useful."
"There's a whole lot of 'known unknowns' here," said Paul Vixie, CEO at Farsight Security Inc., adding that DNSSEC's impact is literally immeasurable, "as in, we don't know how many DNS poisoning attacks would have been launched but which were rendered pointless by DNSSEC. Of course, on the flip side, we don't know how many attacks actually were launched, that succeeded because the domain wasn't signed or because the server performing the lookup wasn't checking signatures. Nor do we know how many attacks were launched, that were stopped in their tracks by DNSSEC."
Vixie believes DNSSEC, or something like it, will be important in the future. "For a variety of reasons, some of which are insider truths or very subtle or both," he said, "I think that DNSSEC will be relevant, and ought never be dismissed because it happens at the moment to not yet be relevant. Secure distributed applications are almost impossible to build unless you are Google-sized, today. If we want to add more such applications, or if we want to add real security to existing distributed applications -- such as email -- then we'll need DNSSEC, or we'll need something very much like DNSSEC that hasn't been thought of yet.
"I think DNSSEC will eventually become a contractual requirement for being a vendor to the U.S. government, and perhaps to the Fortune 500. That'll move the needle," Vixie added.
As with the effectiveness of DNSSEC, experts also disagreed over the magnitude of impact on end users of the change.
"Regular users won't notice this migration at all," Vixie said. "ICANN and the technical community have spent a lot of time working on this process, testing it, planning on how to detect problems, and even planning for ways to back out of the change if something unforeseen happens. Note that regular users don't notice root name server DDoS attacks, either, because the system is so massively over-provisioned. On the internet, something is always breaking, or broken, somewhere -- but mostly nobody notices."
The change will not go unnoticed, though. Vixie said "sysadmins are likely to notice, if they've adopted DNSSEC signature checking. However, those sysadmins are self-selecting -- they love the cutting edge. They're not going to experience any outage from this migration, because by self-selection, they understand what's going on, and they're generally well-prepared for this change."
"Organizations who have deployed DNSSEC will need to update their keys in order to protect their records," Linn said. "If they do not, when the change happens, clients will be unable to access the DNS records of the organizations effectively taking websites and other resources offline. Individuals won't have to do anything for this change, but they will potentially notice some disruption on some sites where organizations were initially proactive but have not maintained their DNSSEC configuration."
Find out more about whether enterprises should support DNSSEC
Learn about why DNSSEC deployment boomed after the Kaminsky DNS bug
Read about one possible reason DNSSEC deployment has slowed