Internet Corporation for Assigned Names and Numbers (ICANN) prepares to change the security settings of the Domain Name System (DNS). The first change of cryptographic keys, which are used to protect the DNS, is planned on October 11. ICANN warned in advance about the possibility of problems for a small percentage of Internet users. In particular, it concerns the resolution of domain names (transitions to sites).
A detailed description of the updating KSK (key signing key) process is presented in the manual issued by ICANN under the program for raising the awareness of users.
DNS Security (DNSSEC) application, in which the cryptographic key is applied, was developed in 2010. Its main task is to verify the compliance of the requested and provided site address (authentication of answers). In order to ensure the integrity and security of the DNS, the application is used by most large Internet providers. During 8 years, the key has not been compromised once, and the update of KSK is necessary for “cryptographic hygiene”.
Changing KSK involves updating DNSSEC configurations by DNS service providers. According to ICANN, the most of providers are ready to transit, so users should not be afraid of failures on the Internet.
“Maxnet” technical director Maxim Struchaev commented on the future change of KSK:
“Our subscribers will not be affected by the problems connected with updating the DNS security system. We are ready for the transition to a new KSK. We received a notification of mandatory DNSSEC validation from ICANN and prepared a DNS resolver to update the configuration.
There might be problems for subscribers who have started own DNS servers and have not made the necessary settings. For such users, we recommend to perform a check and update the configuration, if necessary.
The rest of the subscribers do not have to worry.”