A year ago, under the leadership of the Internet Corporation for Assigned Names and Numbers (ICANN), the internet naming community completed the first-ever rollover of the cryptographic key that plays a critical role in securing internet traffic worldwide. The ultimate success of that endeavor was due in large part to outreach efforts by ICANN and Verisign which, when coupled with the tireless efforts of the global internet measurement community, ensured that this significant event did not disrupt internet name resolution functions for billions of end users.
At the 2019 Internet Measurement Conference (IMC) in Amsterdam last month, naming community leaders, including two Verisign technologists, presented a thorough examination of the 2018 Domain Name System Security Extensions (DNSSEC) root zone Key Signing Key (KSK) Rollover. The multidisciplinary team’s work on the subject, Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover earned IMC’s Distinguished Paper Award.
DNSSEC uses digital signatures based on public-key cryptography to make internet communications more secure. DNS-based communications protected by DNSSEC are much harder to falsify, so DNSSEC has been instrumental in helping to prevent so-called “man-in-the-middle” attacks, which rely on spoofing DNS data.
Within any encryption protocol, it’s important to occasionally update cryptographic keys. In more discrete encryption environments, this process can be relatively simple, but in the case of DNSSEC, the sheer scale of the DNS – as well as the critical global importance of the DNS infrastructure and the tens of millions of globally distributed parties that rely on it – made this key rollover uniquely challenging.
Through Verisign’s role as the root zone maintainer and in operating two of the world’s 13 authoritative root servers, we were honored to play a part in the rollover process, and perhaps even more importantly, to play a role in the critical measurement, analysis and study that allowed the rollover to take place without disrupting the security, stability and availability of the global DNS.
Verisign and others in the DNS community continue to study the successes and unexpected effects of the rollover (some of which we discussed in a blog post published earlier this year), with the goal of applying these insights to future rollovers.
KSK rollover experts from Verisign joined with other leaders in the naming community to discuss their findings with the larger internet research community at IMC Amsterdam 2019. IMC is one of the world’s premier events focused on internet measurement. The Distinguished Paper Awards recognize important work in the area of internet measurement.
Roll, Roll, Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover provides an in-depth analysis of events occurring before, during and after the 2018 KSK rollover from multiple perspectives, to include that of root operators, resolver operators and end users. The paper’s authors, Moritz Müller, Matthew Thomas (Verisign), Duane Wessels (Verisign), Wes Hardaker, Taejoong Chung, Willem Toorop and Roland van Rijswijk-Deij, identified several key challenges that will require careful consideration during the next KSK rollover, including:
- the influence that end-user applications containing DNSSEC validation have on the volume of trust anchor signals;
- the need for more meaningful telemetry; and
- the complexities of trust anchor management, especially as it pertains to DNS resolver software that is shipped with pre-configured trust anchors.
Overall, the paper confirmed that both effective measurement and real-time observation were critical to the success of the 2018 KSK rollover and will be critical to any future efforts. The challenges encountered during the KSK rollover process would have been more difficult to surmount without the active engagement of the global internet measurement community and without trust anchor telemetry. Looking forward to future rollovers, the paper recommends adding extended error codes for DNSSEC failures, the introduction of a standby key and exploring out-of-band distribution of trust anchors via operating system updates.