Root KSK Rollover on 11 October after all

08.10.2018
An important DNS security update is planned for 11 October. End users should not be affected. But what exactly does it mean?

DNS Root Zone and KSK keys

Let's start at the beginning: it's all about the Domain Name System or DNS. This is best compared with a huge table in which the domain names are linked to the IP addresses of the servers on which the websites they refer to are physically hosted. Super handy, because in this way you don't have to remember the IP address of a website, but you can simply enter the domain name. And extra handy since the implementation of the new IPv6-protocol, which comprises as many as 128 bits and has the following form: 2001:db8:0:1234:0:567:8:1. Not the easiest thing to remember, don't you agree?

The DNS root zone is very important in other words. To prevent DNS data tampering when on the network, a special extension was developed about ten years ago: DNSSEC (Domain Name System Security Extensions). 
 
This is to prevent someone from intercepting traffic to yourbank.be, for example, and diverting all traffic to carry out fraudulent transactions with your bank account. 

DNSSEC works with a two-key security system: Zone Signing Keys (ZSK) and Key Signing Keys (KSK). Whereas the ZSK-key changes every three months, the KSK-key dates back to 2010. In other words, it was in urgent need of an update. This update is planned for 11 October 2018 and is known as the KSK Rollover. 
 

DNS Resolvers and DNSSSEC

On the one hand you have the DNS root zone, and on the other hand the 'resolvers', i.e. the DNS client side on the servers of providers such as Telenet and Proximus, for example. They find the domain name in the DNS database and convert it into the accompanying IP-address. 

Validating DNS resolvers also check the DNSSEC signature, if DNSSEC was activated for the domain name. And if a signature is not validated, it is considered an indication for a security problem, and the validating resolver sends an error message to the client. 
Resolvers are validated based on so-called 'trust anchors', copies of the keys that correspond with the KSK-key in the root-zone. Usually they are automatically set by the makers of the resolver software (which requires a new version) or automatically if the resolver implemented software RFC5011. As a last option they can also be changed manually.

And this is what has happened in a lot of validating resolvers meanwhile: when it was announced that the KSK 2017 would replace the KSK 2010, the providers in question carried out an update via RFC 5011, or received an automatic update of their software maker.

KSK Rollover

In principle, everything has been prepared for this extremely important operation, which will in fact take place behind the scenes entirely. Originally this operation was planned for 11 October 2017, but because it was feared not enough people had adjusted their trust anchors, the operation was postponed  for exactly one year. A recently introduced option of the DNS protocol allowed a resolver at that time to tell the root servers which keys were configured. And at that moment it seemed not enough trust anchors were correctly set. 

We worked hard to minimise the impact of the problem. That is why ICANN decided, based on the current data and estimated impact, to carry out the rollover. It will take place on 11 October 2018 at 6 p.m. Belgian time. The old and the new key will work side by side for 48 hours. After this time, only the KSK 2017 key will work.

In principle the end user should not be affected by this at all. The big Belgian providers don't work with DNSSEC validation, which means this rollover makes no difference for their users. Users of companies which work with their own nameservers might be affected. If this nameserver carries out a DNSSEC validation, and the trust anchors were not adapted, their users will not be able to visit any website that uses a DNSSEC domain name regardless of it being a .be or .com. They really need to get cracking! 
 

ICANN

The Internet Corporation for Assigned Names and Numbers, a non-profit organisation that is responsible worldwide for managing domain names.

server

A computer program or hardware device that provides services to other computer programs or users.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa. 

DNSSEC

(Domain Name System Security Extensions) is a security extension to the existing DNS protocol: it is designed to stop criminals from diverting internet users to forged websites.
Security