Sysadmins told to update their software or risk killing the internet

The DNS signing keys are changing for the first time


The world's internet providers and sysadmins need to make sure they are running up-to-date software or they risk cutting their customers off from the internet in October, DNS overseer ICANN has warned.

Following a process that started back in May 2016, the cryptographic keys that secure the foundations of the domain name system will be updated for the first time.

Following the May 2016 test, in February a new key signing key (KSK) was created so people could add it to their software. That new key was then published in the DNS last month, and it will be used to sign the root zone for the first time on October 11, 2017 at 1600 UTC. At that point, anyone who doesn't use it will find themselves effectively cut off from the internet.

The change is as a result of upgrading the zone signing key (ZSK) to a lengthier 2048-bit RSA key to provide greater security. It will now match the Key Signing Key (KSK) in length and both will be re-generated to create a new cryptographic public and private key pair for securing the internet's naming systems.

In TLA nerd terms: the KSK is used to sign ZSK, which is used by the root zone maintainer (RZM) to DNSSEC-sign the root zone of the Internet's DNS.

Don't worry about it

Only internet infrastructure companies and network administrators need to concern themselves about the change, and internet users will – or should – be oblivious.

It is not a difficult change either: so long as people are using up-to-date software and have DNSSEC enabled, the keys will update automatically. The test in May 2016 was run to make sure there weren't any unexpected impacts and thanks to the gradual rollout since then, internet engineers are confident that the whole thing will go without a hitch. But when you are talking about a global, decentralized network, you never know. Hence the warning.

What if someone is using outdated software or insists on making KSK changes manually and fails to do so? Well in that case, DNS resolvers will stop working so anyone at the other end of the connection won't be able to get to the websites they are trying to access. They could of course figure out a way around it, but that would be a lot of effort for absolutely no good reason.

All the big internet infrastructure companies are well aware of the issue and have been planning the switchover for months. But for any sysadmins, resolver operators, DNS software developers or others who install the root's trust anchor as part of their software or hardware and are nervous about the shift, ICANN has set up a KSK test site. And an information page.

There's even a hashtag – #KeyRoll – which has a worryingly or comfortingly low level of activity, depending on which way you look at things. ®

Similar topics

Broader topics


Other stories you might like

  • Client demo in 30 minutes. Just what could go wrong?
    DNS means Do Not Shove under desk

    On Call Welcome to a continent-trotting edition of On Call, in which a Register reader takes a trip to sunnier climes only to be let down by a clown in windswept Blighty.

    Our hero, whom we shall call Simon though that is not his name, was gainfully employed at a UK telecoms outfit way back in the mid-1990s. Carrying the vaunted title of systems engineer, he was based in the City of London doing pre-sales work for some of the world's biggest finance companies.

    High-powered stuff, indeed.

    Continue reading
  • Ukraine invasion: We should consider internet sanctions, says ICANN ex-CEO
    Keep Russia's citizens online but block its military networks, say

    The former head of ICANN, two EU parliamentarians, and a handful of technical, security, and legal experts on Thursday plan to publish an open letter to the internet governance community arguing that the time has come to develop a targeted internet sanctions system.

    The letter [PDF], provided in draft form to The Register, follows a request by Ukrainian government officials for all Russian web domains, revoking HTTPS certificates, and other technical interventions.

    Ukraine's request for these online sanctions was rejected by internet administrative bodies ICANN and RIPE (Regional Internet Registry for Europe, the Middle East and parts of Central Asia) on the basis that the punishment was too broad and would have too many undesirable consequences.

    Continue reading
  • Russia acknowledges sanctions could hurt its tech companies
    Cuts taxes, offers subsidies, defers military service for developers – and preps for internet isolation

    Russia's Ministry of Digital Development has acknowledged that sanctions may send its tech businesses to the wall, and announced a raft of measures designed to stop that happening – among them ending dependency on internet infrastructure hosted offshore and disconnecting from the global internet.

    News of the industry support measures comes from an FAQ published by the Ministry on Saturday, which The Register has translated with online services. Among the questions asked is the poser: "What to do if IT specialists massively lose their jobs due to the suspension of the activities of foreign companies or a reduction in the export revenue of Russian developers?"

    The answer is that Russia plans a round of subsidies aimed at sparking the development of software it's felt may soon be hard to source or operate. Other measures outlined in the FAQ are the ability to offer jobs to foreign workers without first having visas approved, a zero per cent tax rate for tech companies involved in activities the Kremlin feels are necessary, preferential mortgage rates for techies, and even exemption from military service.

    Continue reading

Biting the hand that feeds IT © 1998–2022