ICANN plans to change a fundamental part of the domain name system: the cryptographic keys of the root zone. What does this mean for you?
In about one month, the Internet Corporation for Assigned Names and Numbers (ICANN) plans to change a key feature of the web’s infrastructure. ICANN is a US-based non-profit organization responsible for different tasks related to the internet. They plan to create new cryptographic keys that encrypt DNS.
The Domain Name System (DNS) is “the phone book of the internet.” Behind each website are a domain name and an IP address. Dns makes sure that the two match up with each other. Without DNS, it would be easy for hackers to redirect web users to fake websites designed to steal your information.
“The domain name system was designed when the internet was a friendlier place, and there wasn’t much thought of security put into it.”
DNS cache poisoning and DNS spoofing are two ways that hackers can break this chain of trust. To protect people, most domains use DNS Security Extensions (DNSSEC). By using this, cryptographic keys make sure that the DNS data comes from the right place. ICANN first introduced DNSSEC in 2010 to protect the DNS root zone.
If something happens and the website and DNS don’t match, your browser gives you an error instead of taking you to the potentially malicious site. DNSSEC doesn’t encrypt data on the website itself. This is what other protocols like SSL and TLS are for. It just lets you know if the site you’re trying to visit is legitimate.
So what is the root zone? ICANN describes the root zone as the “top level of the directory service.” For example, when you visit www.google.com, your computer first queries the root zone directory where to find the information on .com. Then, it asks the .com directory service where to get information on google.com. Next, it asks the google.com directory service what the IP address is for google.com. Finally, your computer gets the full address and visits www.google.com. This whole process happens almost instantly.
A bunch of different crypto keys controls the process of DNSSEC authentication. The various organizations manage different parts of this system. For example, VeriSign Corporation operates the .com domain.
Each entity in this system has their own keys and must sign the key of the entity below it. For example, the root signs .com’s key, and .com signs google.com’s key. Not everyone uses DNSSEC, but many do. Comcast turned it on in 2012, and Google’s DNS service started supporting it in 2013. The key that the root holds is what ICANN wants to change: the Root Zone Signing Key.
“If you had this key, and were able to, for example, generate your own version of the root zone, you would be in the position to redirect a tremendous amount of traffic.”
In the same way that security experts recommend that you change your passwords every year or so, ICANN plans to make new keys for the same reason. It’s a standard security password. Andrew Sullivan, chair of the Internet Architecture Board, says “There is a logical possibility that somebody has cracked it and we don’t know.” He emphasizes though that there is no reason to believe the key has been compromised. It’s just a possibility.
Root Zone Signing Key
ICANN has very good security measures because it considers actors up to nation states as potential enemies. Four times a year, the people in charge of these keys meet up with the type of security usually reserved for nuclear launch codes. When put together, the keys create a master key, which controls one of the main security measures of the web: DNS. They meet twice on the east coast of the US and twice on the west coast, since 2010.
Another reason for the key change is to increase its size from 1024 bits to 2048 bits. This increases the difficulty of cracking the cryptography. Dan Kaminsky, a security researcher responsible for much of DNS security, said, “It’s important to get a larger key for the root, and I don’t want to see anything delay that.”
ICANN intends to make this change in a time of calm, instead of rushing to change it if a malicious actor compromised the key. So, this October in a Root KSK ceremony ICANN will generate a new cryptographic key pair. One-half of the pair is a private key; the other half is a public key. ISPs, hardware manufacturers, Linux developers and others need the public key as part of their work.
Then, in the first quarter of 2017 two employees will take a copy of the keys on a smartcard to a different facility on the west coast. Eventually, the organization will distribute the public key to other organizations. In total, the switch takes about two years. The new key will appear in the DNS on July 11, 2017. In October 2017, the new key will then be used for making signatures.
Web of Trust
Although most internet organizations are following this change, others may not know. There’s a chance that a piece of hardware, like a router, might miss the switch and need a manual update. The change also requires ICANN to be public and transparent about what they are doing. Sullivan goes on to say,
“Because the internet is a network of networks and it’s all voluntary, people have to believe they are getting some value out of this, otherwise they just won’t use it.”
In other words, organizations need to trust each other. Ultimately, most internet users won’t need to worry. The internet will go on as it has for decades now. ISPs, developers, and hardware/software manufacturers will make sure that your devices will automatically update. For older hardware, you might need to update it manually. Otherwise, you won’t need to do anything.