First DNS root key change completed with ‘minimal disruption’

Important insights gleaned from first-ever root key roll, says ICANN

On October 11, the Internet Corporation for Assigned Names and Numbers (ICANN) initiated a first for the world wide web, as the organization pushed ahead with its plans to change the cryptographic key that helps protect the internet’s address book – the domain name system (DNS).

During a meeting earlier this year, the ICANN board passed a resolution that would herald the first-ever change – or ‘roll’ – of the root zone Key Signing Key (KSK), which was put to use as a trust anchor for DNS Security Extensions (DNSSEC) in 2010.

KSK is a public-private key pair, where the public key is distributed across millions of systems around the globe. The private key is highly secured within ICANN’s system, with a backup distributed amongst seven keyholders.

The root key roll was initiated at 16:00 UTC last Thursday, and according to ICANN it was completed with “minimal disruption” to the global internet.

“After evaluation of the available data, there does not appear to be a significant number of internet end-users who have been persistently and negatively impacted by the changing of the key,” the Los Angeles-based non-profit said in an update yesterday.

“As expected, a small number of resolvers were not ready for the rollover. To the best of ICANN’s knowledge, those resolvers were able to fix their immediate DNSSEC problems and resume their DNS service quickly.”

Rollover week

Given that this was the first time the key had been changed, ICANN was on hand to initiate a reversal of the roll in the event of a “systemic failure”.

The roll was originally due to take place in September 2017, but was postponed after ICANN began analyzing some last-minute data involving the potential readiness of network operators.

Prior to the key change last week, the organization said some internet users might still be affected by any operators who had not ensured their resolvers were properly configured.

However, in lieu of any major mishaps, the rollover was deemed a success.

“This successful exercise of the infrastructure necessary to roll the root zone’s key has demonstrated it is possible to update the key globally,” said David Conrad, ICANN’s chief technology officer.

“It also provided important insights that will help us with future key rolls.”

ICANN said it will now proceed to the next step in the rollover process: revoking the old KSK. This will take place in the first quarter of 2019, and is not expected to affect any resolvers because the old KSK is no longer being used to sign the root zone.

The final steps of the process will remove the revoked keys from the trust anchors files and from the hardware security modules in ICANN’s secure facilities later in 2019.

“This is the first root key change, but it won’t be the last,” said Matt Larson, vice president of research at ICANN.