Uncertainty Looms as ICANN Overhauls Domain Name Security

Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...

By Lien Hoang

If many websites start displaying error pages in October, the culprit may be an encrypted tool that’s part of global efforts to secure the domain name system.

The Internet Corporation for Assigned Names and Numbers, the nonprofit that coordinates the system, is planning to change the encrypted keys that verify domain names point to their actual IP addresses.

But engineers worry there could be disruptions if internet service providers and other operators don’t know about the new Key Signing Key (KSK), a component of the technology designed to secure the internet’s domain name system, known as Domain Name System Security Extensions (DNSSEC).

“This is like changing all the engines in a jet plane while it’s in the air,” Jim Reid, a DNS consultant whose clients include the UK government, told Bloomberg BNA. “It’s never been done before.”

Just as humans change e-mail passwords regularly, the new keys are supposed to make it more difficult to hijack a domain lookup and point people to a scam website. The KSK, a pair of public and private keys that creates a signature for a domain, will be changed as of Oct. 11, for the first time since its introduction in 2010.

Nearly 90 percent of top-level domains worldwide, such as .com and .edu, are signed using cryptographic keys under DNSSEC, said Nguyen Trung Kien, vice chief of the technical department at Vietnam’s internet registry, VNNIC. ICANN estimates that a quarter of people online, or 750 million people, are accessing websites through services that validate these keys.

An operator of a top-level domain can use KSK to create a signature vouching for the domain’s legitimacy. But people only trust that operator because it has been delegated with authority by the root zone, the top-level domain directory managed by ICANN. The root zone has its own key pair to verify its legitimacy.

“It’s a chain of trust, and there are keys at each level,” said Rick Lamb, ICANN’s senior program manager for DNSSEC.

But he said if services that look up domain names don’t properly incorporate the root zone’s key when it is changed, one of two things could happen. The service could show a blank website to users. Or it could give up on validating the key altogether, and revert to the unsecured practice of returning web pages without confirming a middleman hasn’t tampered with them, Lamb said.

Lamb said he hopes the internet community doesn’t get frustrated with the key change and give up on DNSSEC altogether if websites get disrupted. To minimize those disruptions, ICANN is on what it calls a roadshow to get people ready for the rollover.

Liana Teo, ICANN’s head of communications in Asia, told Bloomberg BNA that ICANN is trying to raise awareness. “It is an important area which is still not getting a lot of traction,” she said. “ISPs, enterprise network operators and others performing DNSSEC validation must ensure that their systems are updated in order to assure trouble-free internet access for their users.”

To contact the reporter on this story: Lien Hoang in Ho Chi Minh City at correspondents@bna.com

To contact the editor responsible for this story: Keith Perine at kperine@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Tech & Telecom on Bloomberg Law