Sysadmins told to update their software or risk killing the internet

The DNS signing keys are changing for the first time

The world's internet providers and sysadmins need to make sure they are running up-to-date software or they risk cutting their customers off from the internet in October, DNS overseer ICANN has warned.

Following a process that started back in May 2016, the cryptographic keys that secure the foundations of the domain name system will be updated for the first time.

Following the May 2016 test, in February a new key signing key (KSK) was created so people could add it to their software. That new key was then published in the DNS last month, and it will be used to sign the root zone for the first time on October 11, 2017 at 1600 UTC. At that point, anyone who doesn't use it will find themselves effectively cut off from the internet.

The change is as a result of upgrading the zone signing key (ZSK) to a lengthier 2048-bit RSA key to provide greater security. It will now match the Key Signing Key (KSK) in length and both will be re-generated to create a new cryptographic public and private key pair for securing the internet's naming systems.

In TLA nerd terms: the KSK is used to sign ZSK, which is used by the root zone maintainer (RZM) to DNSSEC-sign the root zone of the Internet's DNS.

Don't worry about it

Only internet infrastructure companies and network administrators need to concern themselves about the change, and internet users will – or should – be oblivious.

It is not a difficult change either: so long as people are using up-to-date software and have DNSSEC enabled, the keys will update automatically. The test in May 2016 was run to make sure there weren't any unexpected impacts and thanks to the gradual rollout since then, internet engineers are confident that the whole thing will go without a hitch. But when you are talking about a global, decentralized network, you never know. Hence the warning.

What if someone is using outdated software or insists on making KSK changes manually and fails to do so? Well in that case, DNS resolvers will stop working so anyone at the other end of the connection won't be able to get to the websites they are trying to access. They could of course figure out a way around it, but that would be a lot of effort for absolutely no good reason.

All the big internet infrastructure companies are well aware of the issue and have been planning the switchover for months. But for any sysadmins, resolver operators, DNS software developers or others who install the root's trust anchor as part of their software or hardware and are nervous about the shift, ICANN has set up a KSK test site. And an information page.

There's even a hashtag – #KeyRoll – which has a worryingly or comfortingly low level of activity, depending on which way you look at things. ®


Biting the hand that feeds IT © 1998–2017