Dyn had some great news from the Internet Engineering Task Force (IETF) in early February. Our Director of Architecture, Andrew Sullivan, has been re-appointed to the Internet Architecture Board (IAB) for another two-year term.
In addition, Dyn Principal Architect, Joe Abley, has been appointed to an ICANN design team tasked with providing expert input into the plan to change the current cryptographic keys used for DNSSEC in the DNS root zone.
The Internet Architecture Board is a committee of the Internet Engineering Task Force. As a member of the IAB, Andrew is part of a group charged with oversight of the technical and engineering development of the Internet including aspects of the architecture for the protocols and procedures used by the Internet, and oversight of the process used to create Internet Standards. Recent topics considered by the IAB have been the future of Internet addressing and network management.
You can learn more about the IAB at their website. It’s an important role that helps keep the Internet lights on, and Dyn is very happy to continue to support Andrew’s activities on the IAB.
Our pleasure at Andrew’s appointment was matched by the news about Joe Abley joining the ICANN design team charged with developing a plan to change the DNSSEC cryptographic keys used for the root zone of the DNS.
A little background: In July 2010, the global deployment of Domain Name System Security Extensions (DNSSEC) achieved an important milestone when ICANN hosted the first production DNSSEC key ceremony in a high-security data center outside of Washington, DC, and in a later ceremony in another secure facility in California.
In lay terms, DNSSEC is a technology that’s been added to DNS to verify the authenticity of its data. The root zone is where DNS resolution starts, so it’s important that this critical resource used by everyone is secured. Since 2010, ceremonies generating cryptographic digital keys used to secure the Internet root zone have taken place four times a year.
However, there’s been debate in the Internet community about whether the current method is secure enough, since the same root “key signing key” (KSK)–arguably the most important key in DNSSEC–has been used since 2010. There’s general agreement that the KSK should be changed periodically, e.g. to exercise the procedures involved in doing so and to provide future opportunities to take advantage of new cryptographic algorithms.
But what potential impact will a change of the root KSK that is the heart of the DNSSEC have? What impact might there be on people using DNSSEC validation in their daily operations? How do we help mitigate any potential issues?
If we change the root KSK, all the DNSSEC-validating DNS resolvers out there might update their local trust anchors to the new root KSK without issue. Or, they might not. If those DNS resolvers start failing to return valid DNSSEC-signed records, Internet usage will break for many businesses. How do we make sure that doesn’t happen?
Those are the questions that the ICANN design team that Joe is joining will try to answer. It’s a very important challenge, and we’re glad a member of the Dyn team will be part of the solution. For more background on the root zone KSK rollover, I encourage you to read this paper from the Internet Society.