The 2018 DNSSEC Rollover and What It Means For You (Part 1)

On October 11th, ICANN (the Internet Corporation for Assigned Names and Numbers) performed a maintenance function that could have interrupted Internet service for users all over the world.

What did they do? ICANN rolled out a new root key signing key (KSK) for its DNSSEC system. This change had been anticipated for some time because the previous KSK had been in place since July 15, 2010. Updating the root KSK was an important step to protecting the security of the DNSSEC system according to the US CERT. Use of DNSSEC is mandatory for U.S. federal agencies.

What is DNSSEC? DNSSEC (DNS Security Extensions) is a way to check the validity of DNS (Domain Name Service) responses—the answers to queries your computer (or mobile device) makes to find out the IP (Internet Protocol) address of an Internet site. Without DNSSEC, it is easy for hackers to create fake DNS replies that could send you to a malicious web site instead of the real site. DNSSEC digitally signs DNS replies so that DNS servers can cryptographically verify the DNS answers they receive are from the actual DNS servers they queried. For more information on DNSSEC basics, see this site:

https://www.internetsociety.org/deploy360/dnssec/basics/

How can you tell if your network is employing DNSSEC? ICANN has created a web page with simple instructions to check whether your network is using DNSSEC here:

https://www.icann.org/dns-resolvers-updating-latest-trust-anchor

For those less technically inclined, this web page will tell you whether or not you’re using DNSSEC with a graphic at the top of the page:

If you find out that your network is not using DNSSEC, you’re far from alone. Less than 14% of all DNS requests are validated using the extension, according to data from APNIC. Also, only 3% of the Fortune 1000 largest corporations have set up the protocol to protect their domains. So, if you’re not using DNSSEC, the rollover really didn’t impact you at all. If you are using DNSSEC, the successful rollover means your Internet service didn’t get interrupted and that your DNS responses are being cryptographically signed to ensure you’re getting authentic IP addresses back from your DNS servers.

What happens if ICANN botches the next root KSK rollover? It’s always good to have a back-up plan and the Internet has many “public” DNS servers free for you to use. Some of the more well-known DNS servers you can use are listed below.

IPv4 IPv6 Vendor
1.1.1.1 2606:4700:4700::1111 Cloudflare
8.8.8.8 2001:4860:4860::8888 Google DNS
9.9.9.9 2620:fe::fe Quad9
64.6.64.6 2620:74:1b::1:1 Verisign

Like most Internet security protocols, DNSSEC seeks to correct the lack of security in communication protocols that got the Internet working in its early days, but didn’t anticipate the high-trust applications its users would later adopt (like ecommerce and health/safety systems). Understanding how these protocols work is an important first step to designing and deploying your organization’s security program. A follow-on article will examine how well DNSSEC addresses these security issues relative to real-world hacker techniques.

By Terry Bradley, CTO & Director of Cybersecurity Solutions at PLEX