Seven keyholders for the DNS root zone
Preparations for securing the domain name system root zone using the DNS Security Extensions (DNSSEC ) protocol are entering a key phase. At the 76th meeting of the Internet Engineering Task Force (IETF) in Hiroshima, the design team from VeriSign, the internet administration authority ICANN and the US NTIA presented the strict security conditions under which the various keys required will be generated, held and renewed. IETF developers expressed concern about the lack of channels for both explaining the DNSSEC rollout, scheduled to commence in January, to ISPs and for collecting reports of anything untoward from the ISPs.
In October, ICANN and VeriSign surprised many observers with their proposed timetable for DNSSEC root zone signing. Signatures will be used internally from as early as 1st December and the first root server will serve the zone to the outside world from January. Cryptographically secured DNSSEC signatures are intended to prevent DNS information from being changed en-route from sender to recipient. If a response comes from the wrong domain, this will be revealed by checking private against public keys.
Signing the root zone is necessary to ensure that there is an unbroken chain of trust running right through the entire domain name system when converting domain and host names to IP addresses. Some top level domains, including .se and .org, have already signed their zones. Since the changes to the DNS are considerable and errors could knock out big chunks of the internet, the roll-out is to take place a step at a time. One by one, following the sequence L, J, M, I, D, K, etc., root servers will start to issue signed responses from January. The last server will be A, scheduled for May. IETF developers are warning that leaving A to last is a bad idea, as it promotes the long-obsolete myth that A is something special.
Jakob Schlyter of consultancy firm Kirei has told The H's associates at heise online that it is no longer the case that DNS resolvers always start with A when issuing priming queries (initial calls to the root zone). Leaving A to last is, he says, a purely precautionary measure. The option of, in the worst case, stopping the entire roll out remains open, with a non-verifiable key to be presented by July. This will, according to Schlyter, allow signed zones to be withdrawn at any time, without causing zones which have already been validated to cease to see DNS zones and cease to perform DNS resolution.
The scale of the precautionary measures is also reflected in the key management process, which will take place in high-security data centres with groups of key holders. ICANN, the body responsible for managing the internet, will hold the 'master' key signing key for the entire system, including the key for the root zone. ICANN is currently looking for seven people for this purpose, at least five of whom would have to be present to generate a new master key and at least three of whom would have to be present to generate new signatures.
The effort involved is considerable. The actual tokens for unlocking the signature and key generation hardware are held in locked boxes at ICANN. The keys to these boxes are held by the keyholders, who will converge from all over the world for the key ceremony. A new master key will be generated every two to five years, or in an emergency, at shorter intervals. Since two deputies from the ICANN and IP address administration field are being sought for each key holder, 21 trusted persons are required.
VeriSign operates similar procedures for managing the root zone signing key (ZSK). In contrast to the key signing key, this is replaced four times a year. Old and new keys are available during the transition period. To avoid having to use the key signing key to sign each new ZSK, ICANN issues VeriSign with a set of KSK signatures. Joao Damas, developer at BIND-forge ISC, wanted to know whether the loss of these signatures would represent a security problem. Matt Larson, VeriSign Vice-President responsible for DNSSEC replied that the signature bundle and the root zone key are hidden deep within VeriSign.
Whilst the developer community was, on the whole, satisfied by these security measures, there was a volley of questions about what was seen as an urgent need for an information campaign. Delivering longer DNSSEC responses will increase the load on DNS servers. Old DNS resolvers face difficulties dealing with these longer responses, issuing new queries via the rather stodgier TCP protocol, further increasing load. Even so experts are confidently predicting that users will, at least for now, not notice the change. However, one expert is warning that higher latencies could lead to phone calls from users. ISPs also need to know who to report back to if they do notice anything untoward. The real fun, when validation really takes off, will, if all goes according to plan, start in June.
- First root server provides a DNSSEC-signed zone as of December 1st, a report from The H.