We can wait for upgrade to DNS security

5th October 2017

Brett Carr
DNS Engineering Lead

The design and deployment of DNSSEC has been down a rocky road over the last 15 years and last week it took another sharp turn when ICANN made a surprise announcement: the scheduled roll of the root DNSSEC key would be postponed.

The original DNSSEC RFCs (4033, 4034, 4035) were first published in March 2005. From this point, deployment has been steady but slow; a major milestone was crossed when ICANN added DNSSEC data to the root of the DNS in July 2010.

When this key/signature data was added, the system became secure for all domains that were also signed. Upon completion of the work, ICANN published a DNSSEC Practice Statement (as is common with DNSSEC operators) stating that the DNSSEC key in the root would be rolled to a new one every five years.

The second half of the DNSSEC protocol is the resolvers used by service providers and enterprises; these must be configured with a key to match the one in the root zone. This is the link that enables end users to check DNSSEC is validating. When ICANN signed the root, many operators added the key to their configuration. DNS software vendors also started to add the key to software out of the box.

Another important standard in this story is RFC5011 which specifies how the root DNSSEC key can be rolled to a fresh copy. Without this standard, any changes to the key would require all resolver operators to make a manual update, likely leading to failures.

In 2015 ICANN began to talk in public forums about plans to roll the key, confirming that they would not be constrained by deadlines: they were not going to risk the security and stability of the internet just to hit a timescale. They then went on to publish a plan stating the roll would be RFC5011 compliant and started a programme of outreach to internet communities (with testing tools supplied) to raise awareness that the roll would complete in October 2017.

The final piece of the story so far relates to the publication of a new standard (RFC8145) which specified a method for a DNS resolver to report which root keys it was currently aware of (during a roll you would expect to see old and new).This standard was published in April 2017 and deployed into popular software soon after, immediately providing ICANN with more data on the status of many resolvers on the internet.

This data showed that 4.93% of resolvers reporting in were not ready for the key roll and would have issues following the change in October. A figure of below 5% may seem small, but there is no way of knowing how many actual users are connected to those resolvers. The impact could be much higher than it initially appears – it was a risk ICANN didn’t want to take. Nominet recognises the importance of security and stability to the global DNS system and fully supports ICANN’s decision to delay the roll until the impact can be further assessed.

For our own part, Nominet’s DNS resolvers have been doing DNSSEC validation for a long period and we have been ready for the root zone key roll for over a year. Tests have been ongoing to ensure stability over the last six months and have shown no issues. As soon as ICANN presses the button, likely in Q1 2018, we will be ready.