Keep up with the latest developments and legal issues in the telecommunications and emerging technology sectors, with exclusive access to a comprehensive collection of telecommunications law news,...
By Lien Hoang
If many websites start displaying error pages in October, the culprit may be an encrypted tool that’s part of global efforts to secure the domain name system.
The Internet Corporation for Assigned Names and Numbers, the nonprofit that coordinates the system, is planning to change the encrypted keys that verify domain names point to their actual IP addresses.
But engineers worry there could be disruptions if internet service providers and other operators don’t know about the new Key Signing Key (KSK), a component of the technology designed to secure the internet’s domain name system, known as Domain Name System Security Extensions (DNSSEC).
“This is like changing all the engines in a jet plane while it’s in the air,” Jim Reid, a DNS consultant whose clients include the UK government, told Bloomberg BNA. “It’s never been done before.”
Just as humans change e-mail passwords regularly, the new keys are supposed to make it more difficult to hijack a domain lookup and point people to a scam website. The KSK, a pair of public and private keys that creates a signature for a domain, will be changed as of Oct. 11, for the first time since its introduction in 2010.
Nearly 90 percent of top-level domains worldwide, such as .com and .edu, are signed using cryptographic keys under DNSSEC, said Nguyen Trung Kien, vice chief of the technical department at Vietnam’s internet registry, VNNIC. ICANN estimates that a quarter of people online, or 750 million people, are accessing websites through services that validate these keys.
An operator of a top-level domain can use KSK to create a signature vouching for the domain’s legitimacy. But people only trust that operator because it has been delegated with authority by the root zone, the top-level domain directory managed by ICANN. The root zone has its own key pair to verify its legitimacy.
“It’s a chain of trust, and there are keys at each level,” said Rick Lamb, ICANN’s senior program manager for DNSSEC.
But he said if services that look up domain names don’t properly incorporate the root zone’s key when it is changed, one of two things could happen. The service could show a blank website to users. Or it could give up on validating the key altogether, and revert to the unsecured practice of returning web pages without confirming a middleman hasn’t tampered with them, Lamb said.
Lamb said he hopes the internet community doesn’t get frustrated with the key change and give up on DNSSEC altogether if websites get disrupted. To minimize those disruptions, ICANN is on what it calls a roadshow to get people ready for the rollover.
Liana Teo, ICANN’s head of communications in Asia, told Bloomberg BNA that ICANN is trying to raise awareness. “It is an important area which is still not getting a lot of traction,” she said. “ISPs, enterprise network operators and others performing DNSSEC validation must ensure that their systems are updated in order to assure trouble-free internet access for their users.”
To contact the reporter on this story: Lien Hoang in Ho Chi Minh City at firstname.lastname@example.org
To contact the editor responsible for this story: Keith Perine at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)