Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Monday October 08 2018, @12:19PM   Printer-friendly
from the what's-in-a-name? dept.

What you need to know about the first-ever DNSSEC root key rollover on October 11, 2018

DNSSEC is a system of digital signatures that prevent DNS spoofing. Using DNSSEC, it does not matter where your DNS answers came from, since the DNS resolver or application can verify the DNSSEC signatures to ensure the DNS data is not tampered with..

DNS is hierarchical, which means that the parent zone vouches for the cryptographic key used by its children via Delegation of Signing (DS) records. At the top of the hierarchy stands the DNSSEC Root Key. This key was first deployed on July 15, 2010, and it is scheduled to be replaced with a fresh new key on October 11, 2018 at 16:00 UTC.

What do you need to know?

If all goes well, end users and operators will notice absolutely nothing. The DNS community coordinated with the Internet Engineering Task Force (IETF), Internet Corporation for Assigned Names and Numbers (ICANN), DNS vendors, operating system vendors and DNS operators to ensure this change will be as uneventful as possible.

But there might be a few old forgotten and unmaintained servers, virtual machines, or containers that will run into issues if these servers had enabled DNSSEC more than a year ago and were not updated since that time.

How do DNS software and DNS services pick up the new key?

It already has! Properly working software should have already picked up this new key. To update the DNSSEC Root Key, a process defined in RFC 5011 is used. It involves pre-publishing the new key signed by the current key and when you have seen this new key for more than 30 days, trust the new key as much as the current key.

[...]

Again, it is not expected that any DNS issues will happen. But if they do, it is recommend first to simply try restarting your DNS server. Then try to resolve something with DNSSEC, for example by using dig +dnssec dnskey . and if that works, you should be good, although you might want to keep monitoring the situation for a little while longer.

If you still see that DNS is not working properly you can temporarily switch to a public DNS operator. These DNS operators run DNSSEC-enabled public resolvers. You can switch to one of these services, or one of your preference, by configuring these public DNS services in /etc/resolv.conf. We don't endorse any of these in particular, but they are well-known public DNS providers that support DNSSEC and may be useful if you need a working DNS service quickly.

[...] To get the latest information published by ICANN, see their Rollover Resources Page. That page will be updated during the event in case of unexpected issues.

Submitted via IRC for Bytram


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by JoeMerchant on Monday October 08 2018, @01:37PM (3 children)

    by JoeMerchant (3937) on Monday October 08 2018, @01:37PM (#745948)

    How do DNS software and DNS services pick up the new key?

    It already has!

    Not much of a how...

    --
    🌻🌻 [google.com]
    • (Score: 0) by Anonymous Coward on Monday October 08 2018, @01:44PM (2 children)

      by Anonymous Coward on Monday October 08 2018, @01:44PM (#745950)

      Can we trust this centralized authority?

      Also: How does this affect Tor, I2P, OpenNIC, and other services whose domain names are not and will not be dnssec secured?

      Furthermore, why aren't we using a blockchain system to provide provable encryption trails for each domain? It seems like that would be a far better way and would allow decentralization of the domain services, while also allowing better verification of authority than an arbitrary root key, which if compromised requires all other keys to be resigned. (With a blockchain, any single compromise would not be authoritative, allowing the system to continue functioning as intended until and unless multiple 'root' keys were compromised, allowing a majority vote to compromise the chain of trust for a particular set of records.

      • (Score: 1) by Mike on Monday October 08 2018, @06:07PM

        by Mike (823) on Monday October 08 2018, @06:07PM (#746047)

        Can we trust this centralized authority?

        You can trust them as much as you could before DNSSEC. Now you can trust that the signed responses you get through DNS(SEC) are at least from that centralized chain of authority (with a number of caveats, there is no perfect security) as opposed to someone else.

        Also: How does this affect Tor, I2P, OpenNIC, and other services whose domain names are not and will not be dnssec secured?

        If they aren't using DNSSEC, then the DNSSEC root rollover won't affect them at all. :}

        Furthermore, why aren't we using a blockchain system to provide provable encryption trails for each domain? It seems like that would be a far better way and would allow decentralization of the domain services, while also allowing better verification of authority than an arbitrary root key, which if compromised requires all other keys to be resigned. (With a blockchain, any single compromise would not be authoritative, allowing the system to continue functioning as intended until and unless multiple 'root' keys were compromised, allowing a majority vote to compromise the chain of trust for a particular set of records.

        Blockchains are an interesting idea (not sure how that might affect things like signatures size?) for DNS signatures. It may even be possible to use that as a different signature algorithm within the current DNSSEC protocol.

      • (Score: 5, Funny) by The Mighty Buzzard on Monday October 08 2018, @09:09PM

        by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Monday October 08 2018, @09:09PM (#746129) Homepage Journal

        ...why aren't we using a blockchain system to provide provable encryption trails for each domain?

        Blockchain is never the answer to any problem. No, really. Never. Any legitimate problem that can possibly be solved using a blockchain can be solved so much faster while using about 1/1000000th of the computing resources just by throat punching the first person to say the word "blockchain".

        --
        My rights don't end where your fear begins.
  • (Score: 0) by Anonymous Coward on Monday October 08 2018, @10:57PM (1 child)

    by Anonymous Coward on Monday October 08 2018, @10:57PM (#746191)

    DNS has worked just fine for decades... so why on earth do they think it needs to be rewritten in Ruby on Rails?

    • (Score: 0) by Anonymous Coward on Tuesday October 09 2018, @02:18AM

      by Anonymous Coward on Tuesday October 09 2018, @02:18AM (#746255)

      IT wouldn't allow it since it hasn't had any updates for more than a year, and assumed to contain security flaws.
      The solution is to rewrite it so it has updates for the coming years and be allowed to operate.

(1)