[SingCERT] Technical Advisory on DNSSEC Root Zone Key Signing Key Rollover

Published on 28 Sep 2018

Updated on 23 Oct 2019

Background

The Internet Corporation for Assigned Names and Numbers (ICANN) is planning to change the "top" pair of cryptographic keys used in the Domain Name System Security Extensions (DNSSEC) protocol, commonly known as the root zone Key Signing Key (KSK).

Domain Name System (DNS) is a naming system for the Internet. It translates readable domain names (e.g. icann.org) to information such as Internet Protocol (IP) addresses, and is an essential component of functionality on the Internet.

DNSSEC adds a layer of security to the DNS by digitally signing responses, while maintaining backward compatibility. Many DNSSEC-signed zones have two types of keys; Zone-Signing Keys (ZSKs) that sign the zone data, and KSKs that sign the ZSKs. In the context of the root zone, representatives from ICANN and the group “Trusted Community Representatives” oversee a key ceremony every quarter to sign a set of ZSKs used by Verisign to sign the root zone.

DNSSEC-validating resolvers are configured with the public portion of the KSK, known as the root zone “trust anchor”, which is used in the response validation process. The upcoming root zone KSK rollover will be the first time the KSK has changed since the current key was generated in 2010 and will necessitate an update of this “trust anchor” by resolver operators.

Impact

As every DNSSEC-enabled resolver depends on the root zone KSK to validate the responses from DNSSEC-signed zones, the rollover of these KSK keys is an important step. Failure to ensure that DNSSEC-validating resolvers have the new “trust anchor” may result in name resolution failures (typically “server failure” or SERVFAIL errors) at some point within 48 hours of the rollover on 11 October 2018. Resolver operators, such as Internet Service Providers (ISPs), that have enabled DNSSEC validation, will need to ensure that their systems have been updated with the new key, allowing users to validate against the new KSK. The Info-communications Media Development Authority (IMDA) is working closely with local ISPs to ensure that they are ready for this change.

The KSK rollover is not a single event, but rather a process that will take time. The upcoming milestones are on 11 October 2018 and 11 January 2019. The former is the date for the new KSK to be used for signing for the first time, while the latter is the proposed date for the old KSK to be revoked.

Recommendations

Resolver operators are encouraged to refer to the guide - What to Expect During the Root KSK Rollover. Resolver operators that have enabled DNSSEC should be aware that the KSK rollover is occurring. Systems can be updated at any time prior to the rollover by adding the new root zone KSK that was published on 11 July 2017.  If the resolver software supports automated updates of DNSSEC “trust anchors”, that is, the resolver has implemented the update RFC 5011, it is likely that no further action will be required.

However, operators may still wish to confirm their systems' ability to handle the automated change, for example, by verifying that the disk in which the “trust anchor” is stored is writable, by using ICANN's testing bed at https://icann.org/kskroll. Details on how to update popular DNSSEC-validating resolvers can be found at https://www.icann.org/dns-resolvers-updating-latest-trust-anchor.

If the resolver software does not support RFC 5011 automated updates of DNSSEC “trust anchors”, the “trust anchor” file must be updated manually. The official repository of the new root zone KSK can be accessed at https://data.iana.org/root-anchors/.

References

https://www.icann.org/en/system/files/files/ksk-rollover-quick-guide-prepare-systems-25apr18-en.pdf

https://www.icann.org/dns-resolvers-checking-current-trust-anchors

https://www.icann.org/dns-resolvers-updating-latest-trust-anchor


###


About CSA

The Cyber Security Agency of Singapore (CSA) provides dedicated and centralised oversight of national cybersecurity functions, and works with sector leads to protect Singapore’s critical services. It also engages with various industries, and stakeholders to heighten cybersecurity awareness as well as to ensure the holistic development of Singapore’s cybersecurity landscape.

About ICANN

ICANN’s mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you have to type an address - a name or a number - into your computer or other device. That address must be unique, so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation and a community with participants from all over the world.

About ISG-CERT

The Infocommunications Singapore Computer Emergency Response Team (ISG-CERT) was established in 1st April 2015 to provide IMDA with the capability to respond effectively to cyber threats within the Infocomm and Media sector in Singapore. ISG-CERT provides the following to the constituents of the local Infocomm and Media sector:

  • Sharing of information through the issuance of actionable intelligence and advisories/alerts
  • Promoting security awareness and enhance technical knowledge by conducting security courses, seminars and workshops
  • Performing incident management, computer forensic analysis and malware analysis
  • Coordinating with other CERTs and organisations to resolve security incidents