The Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS which provides DNS clients (resolvers) origin authentication for DNS data; the specifications are for securing certain kinds of information provided by the Domain Name System (DNS) on Internet Protocol (IP) networks.

While the Internet Corporation for Assigned Names and Numbers (ICANN) voted on the first ever change for the cryptographic key that helps protect the Domain Name System (DNS), in a bid to make the internet more secure.

The main driving force for the improvement in DNS security remains that the rollover will help in the continued evolvement of Internet technologies and deployment of IoT facilities.

Initial plan to roll the DNS root KSK was paused in 2017 due to unexpected error, specifically the data raised questions related to how ready validating resolvers were for the roll over that was scheduled to be implemented. ICANN analyzed the data and determined that there were indications that a relatively small percentage of resolvers were likely to be negatively impacted by the KSK rollover, but it also established that the data was unsuitable for determining the number of end users that would be impacted.

But the ICANN Board have now agreed to proceed with plans to roll over the key for the DNS root beginning on October 11, 2018, which change is remarkable as it will be the first successfully in place since 2010.

ICANN stated that minimal user impact from the rollover is expected, as a small percentage of internet users would see problems in resolving domain names, and so they will have problems reaching their destination websites.

The change, however should have little impact for enterprise users, since more than 99% of such users resolvers are validating and will not be affected by the KSK rollover; as most enterprises have their software set on automatic key rollovers or they've manually installed the new key already.

Though, there's no assurance that every network operator will have their 'resolvers' properly configured, yet it is expect that the vast majority have access to the root zone.

What's the impact of ICANN enforcement of DNS Security Extensions change?



The Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS which provides DNS clients (resolvers) origin authentication for DNS data; the specifications are for securing certain kinds of information provided by the Domain Name System (DNS) on Internet Protocol (IP) networks.

While the Internet Corporation for Assigned Names and Numbers (ICANN) voted on the first ever change for the cryptographic key that helps protect the Domain Name System (DNS), in a bid to make the internet more secure.

The main driving force for the improvement in DNS security remains that the rollover will help in the continued evolvement of Internet technologies and deployment of IoT facilities.

Initial plan to roll the DNS root KSK was paused in 2017 due to unexpected error, specifically the data raised questions related to how ready validating resolvers were for the roll over that was scheduled to be implemented. ICANN analyzed the data and determined that there were indications that a relatively small percentage of resolvers were likely to be negatively impacted by the KSK rollover, but it also established that the data was unsuitable for determining the number of end users that would be impacted.

But the ICANN Board have now agreed to proceed with plans to roll over the key for the DNS root beginning on October 11, 2018, which change is remarkable as it will be the first successfully in place since 2010.

ICANN stated that minimal user impact from the rollover is expected, as a small percentage of internet users would see problems in resolving domain names, and so they will have problems reaching their destination websites.

The change, however should have little impact for enterprise users, since more than 99% of such users resolvers are validating and will not be affected by the KSK rollover; as most enterprises have their software set on automatic key rollovers or they've manually installed the new key already.

Though, there's no assurance that every network operator will have their 'resolvers' properly configured, yet it is expect that the vast majority have access to the root zone.

No comments