With the aim of making the Internet more secure and protect from hackers, Internet Corporation for Assigned Names and Numbers (ICANN) is set to make a major key change on how the Internet works.
The company is planning to change the “top” pair of cryptographic keys used in the Domain Name Systems Security Extensions (DNSSEC) protocol, commonly known as the Root Zone KSK (Key Signing Key) in October.
DNNSEC is highly recommended by ICANN to ensure the security of the domain name system and to prevent a domain hijacking. “However, its implementation is on a voluntary basis. Therefore, only websites that have implemented DNNSEC can be considered completely safe from domain hijacking. ICANN is calling upon website operators to switch-on DNNSEC and for Internet Service Providers (ISPs) and network operators to support DNNSEC and to be prepared for the KSK rollover,” according to Pierre Dandjinou, ICANN’s Vice President of Stakeholder Engagement for the Africa region.
It has been notifying Internet service providers across the world to be aware of the October 11, 2017 deadline the company set and avoid possible Internet interruption. “Security is a key point in our Internet life and African countries need to scale up their efforts to effectively secure the Internet and ICT infrastructures. This will enable their citizens to take advantage of the various new services offered by the Internet,” Mr. Dandjinou said, in a telephone interview he made with Ethiopian journalists this afternoon.
The change will be the first time since it was initially generated in 2010. ICANN’s awareness raising campaign about the key change aims to help network operators using DNSSEC-validating resolvers don’t get locked out.
“It is an important security step since if Internet Service Providers (ISPs) do not have this new key, the Internet will not work for them or their customers, according to Mr. Dandjinou who noted that ICANN has been officially communicating with all network providers in Africa including the state-monopoly Ethio Telecom of Ethiopia.
Rolling the KSK means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, including: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root’s “trust anchor.”
The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.
ICANN’s major planned operations in relation to the key change include the following:
- October 27, 2016:KSK rollover process begins as the new KSK is generated.
- July 11, 2017:Publication of new KSK in DNS.
- September 19, 2017:Size increase for DNSKEY response from root name servers.
- October 11, 2017:New KSK begins to sign the root zone key set (the actual rollover event).
- January 11, 2018:Revocation of old KSK.
- March 22, 2018:Last day the old KSK appears in the root zone.
- August 2018:Old key is deleted from equipment in both ICANN Key Management Facilities.
Headquartered in the United States ICANN’s mission is to help ensure a stable, secure and unified global Internet.