This October a group of up to seven VIP cryptographic keyholders will meet in a windowless secure room in a building in El Segundo, California. Few beyond the retiring world of Internet engineering have heard of this group let alone understand the significance of what they get up to. With no fanfare and barely any publicity they have been meeting like this four times a year since 2010 in get-togethers that turn out to matter hugely to the security of the Internet’s Domain Name System (DNS).
Organised by Internet authority ICANN, the October meeting or ‘ceremony’ will be the most important yet. For the first time since it was adopted in 2010, the master key (called the Root Zone Key Signing Key or KSK) that lies at the heart of the Domain Name System Security Extensions (DNSSEC) system used to secure DNS queries will be changed or ‘rolled over’.
The event itself is a surprisingly manual if carefully-controlled process. Each one of the seven ‘crypto officers’ will use a physical key to access seven safe deposit boxes holding unique smart cards. After entering the ceremony room, each will insert their smartcard into a FIPS-140 Level 4 Hardware Security Module (HSM), basically a tamper proof appliance used to store the DNSSEC master key. As long as at least three smartcards are inserted in sequence, the process of generating the new master key will be initiated.
This is only the beginning. The same ceremony will be repeated at the secondary master key facility in early 2017 before being used in anger for the first time at a third get together in Q2. By October 2017, the DNS system will start using the key across the entire system.
Whether they yet realise it or not, anyone who manages or simply depends on DNSSEC to work – large communications providers, software and OS vendors but also smaller second-tier providers – will be affected by this sequence of ceremonies.
Once the Root KSK (actually a public-private key pair) is changed, the old one will stop working, with full implementation required by the October 2017 cut-off. Admins across the world will have to apply the same new key pair applied during the ceremony or DNS will eventually break with confusing and upsetting effects for their business customers downstream.
The chances of something going seriously wrong are small but ICANN and its partner root zone administrators Verisign and the US NTIA are naturally a bit nervous given that the key has never been changed in the history of DNSSEC which to many is still a relatively new and unfamiliar technology.
Why does DNSSEC matter?
DNS sounds simple at the surface level. When someone types an Internet domain name or clicks on a search result pointing to one, the nearest of a vast distributed network of DNS servers (usually inside an ISP) resolves the name to the numerical IP address that tells routers how to identify it from a billion other sites. It’s a superb system. People get to use simple domain names while computers get to use numbers.
What actually happens is a lot more complicated. For instance, typing Google.com causes the browser to query the root level directory service for the .com part of the address before being directed to a second directory to look for Google. It takes fractions of a second but only then is this resolved to the real IP address.
It’s a trust hierarchy that was brought into doubt in 2008 by researcher Dan Kaminsky who worked out how something called a cache poisoning attack could direct web users to rogue addresses that appeared to be the real ones without anyone knowing. Attackers achieving this would effectively have hijacked DNS.
DNSSEC was devised to head off this disastrous possibility by applying digital signatures able to verify the answers DNS sends back in response to a query. Because DNS functions as a complicated hierarchy of queries passed between different levels, this required a demanding design in which each level verifies the next. However, at the end of the line there must be an ultimate key and that is the Root Zone Key Signing Key or master key managed under the auspices of ICANN in conjunction with 12 other partners.
Looked at this way, it becomes easier to understand why changing can’t be left to one individual in one organisation. It’s the Internet’s equivalent of applying nuclear launch codes.
Over to ICANN
Techworld caught up with ICANN’s vice president of Research, Matt Larson, himself an industry veteran and global DNS expert to ask him the obvious question: why all this fuss over one root key?
“No cryptographic key should live forever. Ultimately, that’s the reason,” replies Larson with patient certainty. “This is a matter of cryptographic hygiene. If you wait too long people don’t realise that it’s not chiselled into stone.”
When DNSSEC started its life in 2010, there was an agreement that a good timescale for changing the KSK should be around five years. The time span has no significance so much as the fact everyone agreed that a time-dependant change would be sensible. That was written into ICANN’s contract.
“People don’t configure root servers. It’s done for them. It’s something they don’t have to think about.”
To simplify a complex problem, the challenge is that the hierarchy of DNS servers must be adjusted so they end up pointing at the same root key throughout what is termed the DNS System Key Resource Record set (RRset). This includes operators hosting DNS infrastructure but also the software vendors who write DNS software which all work to a key changing protocol called RFC 5011.
“There will be people who have to manually change it. There is no way to know which is why we have this outreach campaign,” says Larson. “If that person doesn’t know the ley has changed they will have DNS outage.”
Given that the master key has never been changed before, a second obvious issue is how ICANN and Larson will know that the new chain of trust is propagating correctly. ICANN has the advantage of managing one of the Internet’s famous 13 DNS root server clusters so can see a large portion of DNS traffic passing across the Internet.
“We are going to look for anomalies in that traffic. We’re hopeful that we can detect some problems when you look at the traffic,” replies Larson who is quick to emphasise that misconfigured DNSSEC won’t be as easy to spot as a smoking gun.
What ICANN’s outreach over the master key change describes is the procedural complexity of the Internet at a time when security has become paramount. Designed for redundancy, the Internet has had to learn about security as a series of retrofits. So far it’s holding up, at least as far as DNS is concerned but at the expense of a huge amount of hidden complexity few Internet users will ever be aware of.
Around 2022, the latest key will reach the end of its life and the call will go out for the druids of DNS to pay a visit to a room somewhere in the US for another ceremony. And so this process will go on into the future.