ICANN sets plan to reinforce internet DNS security
The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010.
During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated.
“Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak,” ICANN stated.
The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses.
Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.
ICANN noted that due to the lack of significant deployment of Domain Name System Security Extensions (DNSSEC validation), responses from the Root Server System remains at risk from integrity attacks.
Similarly, as a result of DNS messages assumed to be sent unencrypted, the users of the Root Server System (i.e., resolvers) are subject to confidentiality attacks. While these attacks are not necessarily new, the ever-increasing reliance on DNS and hence, the Root Server System, suggests a new strategy is needed to reduce the effect of these attacks, ICANN stated.
ICANN said it expects minimal user impact from the rollover but a small percentage of internet users could see problems in resolving domain names, which means they will have problems reaching their online destination.
For enterprise users, the move should have little impact. First of all, ICANN said more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover. Enterprises should have already updated their software to do automatic key rollovers ("RFC 5011" rollovers) or manually installed the new key by now.
"There is no way of completely assuring that every network operator will have their 'resolvers' properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone," ICANN Board Chair Cherine Chalaby said in a statement.
Research shows that there are many thousands of network operators that have enabled DNSSEC validation, and about a quarter of the internet's users rely on those operators, said David Conrad, ICANN's chief technology officer.
"It is almost certain there will be at least a few operators somewhere across the globe who won't be prepared, but even in the worst case, all they have to do to fix the problem is, turn off DNSSEC validation, install the new key, and reenable DNSSEC and their users will again have full connectivity to the DNS," he said.
The Root KSK Rollover from the 2010 KSK to the 2017 KSK version was supposed to take place almost a year ago but was delayed until Oct. 11 of this year because of potential Internet connectivity disruption concerns.
But ICANN said that after consulting with the community, they developed a new plan that recommends putting the new key into use exactly one year after originally scheduled. The organization has continued outreach and investigations on how to best mitigate risks associated with the key change.
"This is the first root key change, but it won't be the last," said Matt Larson, vice president of research at ICANN and the organization's point person for the key roll. "This is the first time, so naturally we are bending over backwards to make certain that everything goes as smoothly as possible, but as we do more key rollovers in the future, the network operators, ISPs, and others will become more accustomed to the practice."
Müəllif
Metbuat.az
Qaynar xətt
0552252950
Həmçinin oxu
Süni intellekt üçün internet “Bakcell”dən
en.ictnews.az
DİGƏR XƏBƏRLƏR
Daha çox »Top xəbərlər
Layihələr
Son xəbərlər
İran hərəkatı başladı - Trampdan açıqlama
Bu gün
·
01:52
Bu bürclər üçün şans qapıları açılır
Bu gün
·
01:15
Polad Həşimovun şəhadətə ucalmasından altı il ötür
Bu gün
·
00:12
İnsanlara güvənməyən ən şübhəçil 5 bürc
Bu gün
·
00:12
Azərbaycanda nə qədər ev ipotekadadır?
Dünən
·
23:55
D-8 Media Mükəmməllik Mərkəzinin strategiyası təqdim olundu
Dünən
·
23:53
Ən uzunömürlü 5 balıq: 200 ildən çox yaşayırlar
Dünən
·
23:52
ABŞ Hörmüzdə keçidlərin təhlükəsizliyini təmin edəcək - Tramp
Dünən
·
23:49
10 Avropa ölkəsi Antiballistik Raket Koalisiyası qurdu
Dünən
·
23:15
Bu tarixi sizin qədər bilən ikinci bir şəxs çətin ki, tapılsın - Prezidentdən Mirşahinə
Dünən
·
22:53
"Real"da Vinisiusun aqibəti bəlli oldu
Dünən
·
22:35
Peter Pelleqrini Azərbaycana rəsmi səfərə gəldi
Dünən
·
22:03
Pambıqdan yüngül planet kəşf edildi
Dünən
·
21:49
Bizim daxili risklərimiz yoxdur, bütün təhdidlər sərhədlərimizdən kənarda yaranır - İlham Əliyev
Dünən
·
21:16
Ərəblərdən ulduz futbolçuya təklif
Dünən
·
21:10