Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Monday October 08 2018, @12:19PM   Printer-friendly
from the what's-in-a-name? dept.

What you need to know about the first-ever DNSSEC root key rollover on October 11, 2018

DNSSEC is a system of digital signatures that prevent DNS spoofing. Using DNSSEC, it does not matter where your DNS answers came from, since the DNS resolver or application can verify the DNSSEC signatures to ensure the DNS data is not tampered with..

DNS is hierarchical, which means that the parent zone vouches for the cryptographic key used by its children via Delegation of Signing (DS) records. At the top of the hierarchy stands the DNSSEC Root Key. This key was first deployed on July 15, 2010, and it is scheduled to be replaced with a fresh new key on October 11, 2018 at 16:00 UTC.

What do you need to know?

If all goes well, end users and operators will notice absolutely nothing. The DNS community coordinated with the Internet Engineering Task Force (IETF), Internet Corporation for Assigned Names and Numbers (ICANN), DNS vendors, operating system vendors and DNS operators to ensure this change will be as uneventful as possible.

But there might be a few old forgotten and unmaintained servers, virtual machines, or containers that will run into issues if these servers had enabled DNSSEC more than a year ago and were not updated since that time.

How do DNS software and DNS services pick up the new key?

It already has! Properly working software should have already picked up this new key. To update the DNSSEC Root Key, a process defined in RFC 5011 is used. It involves pre-publishing the new key signed by the current key and when you have seen this new key for more than 30 days, trust the new key as much as the current key.

[...]

Again, it is not expected that any DNS issues will happen. But if they do, it is recommend first to simply try restarting your DNS server. Then try to resolve something with DNSSEC, for example by using dig +dnssec dnskey . and if that works, you should be good, although you might want to keep monitoring the situation for a little while longer.

If you still see that DNS is not working properly you can temporarily switch to a public DNS operator. These DNS operators run DNSSEC-enabled public resolvers. You can switch to one of these services, or one of your preference, by configuring these public DNS services in /etc/resolv.conf. We don't endorse any of these in particular, but they are well-known public DNS providers that support DNSSEC and may be useful if you need a working DNS service quickly.

[...] To get the latest information published by ICANN, see their Rollover Resources Page. That page will be updated during the event in case of unexpected issues.

Submitted via IRC for Bytram


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday October 09 2018, @02:18AM

    by Anonymous Coward on Tuesday October 09 2018, @02:18AM (#746255)

    IT wouldn't allow it since it hasn't had any updates for more than a year, and assumed to contain security flaws.
    The solution is to rewrite it so it has updates for the coming years and be allowed to operate.