The Internet Corporation for Assigned Names and Numbers (ICANN) has announced the postponement of the planned change of the DNS Crypto Key that protects the Domain Name System.
According to a statement from ICANN, the change was scheduled to take place on October, 11th however, new data reveals that a significant number of resolvers used by large network operators and ISP’s were not ready.
Reasons for the postponement of DNS Crypto Key Rollover
ICANN believes that there may be multiple reasons why operators are yet to install the new keys in their systems. It could be that their resolver software is not properly configured. The ICANN statement went on to say that one widely used resolvers’ program appears not to be updating the key automatically as it should for unknown reasons.
DNS Crypto key Rollover could take place in the first quarter of next year
ICANN however, intends to reschedule the rollover to the first quarter of next year. It is estimated that the rollover will affect 750 million people. ICANN CEO and President Göran Marby remarked that their core mission was to ensure the stability, security, and resilience of the Domain Name System and as such, it could be an act of irresponsibility to go on with the roll in light of the new developments. The rollover if pursued could not only adversely affect the success of the mission, but also the ability of a huge number of users.
ICANN’s advice on DNS Crypto Key Rollover
ICANN notice to ISP’s and network operators is that they should prepare adequately and ensure that their systems are ready for the intended new rollover date. They should also make use of its platform to ensure the proper configuration of resolvers.
In the meantime, ICANN is looking for ways to resolve the current issues through its Security and Stability Advisory Committee, the Regional Internet Registries and Network Operator Groups.
Brief discussion on DNS
DNS plays a significant role in translating names which we humans can easily remember into numbers used by computers to look up for its destination. This it does in systematic steps beginning with the top level of the directory or the “root zone.” So, for instance, to look up for the name www.google.com, the computer will ask the top level (root zone directory) where to find information on “.com.” After receiving a response, it proceeds to ask the .com directory that is identified by the root zone directory where to get information on .google.com (second level). And finally, asks the google .com directory defined by the “.com” directory the address for www.google.com (third level).
All the above steps happen instantaneously to provide the full address to your computer. In our example, each directory service is managed by a different organization: Google.com by Google, “.com” directory by Verisign, while ICANN administers the root zone.
Why is it important to “sign the root”?
Nowadays, it’s become easier for hackers to hijack any of the DNS lookup steps as a result of recently discovered vulnerabilities in the DNS coupled with advances in technology. In such an occurrence, the hacker can take over control of your session and wreak havoc.
What’s the solution to the DNS vulnerabilities?
The workable long-term solution to the DNS vulnerabilities is the deployment of the end-to-end DNS Security Extensions (DNSSEC). DNSSEC is a technology that protects against attacks by the digital signing of data to ensure validity. For the DNSSEC to succeed in computers, it has to be deployed in each step of the lookup process from the root zone to the final domain name.
How will DNS Security Extensions (DNSSEC) improve the security of the user?
When DNSSEC is fully deployed, it will help the user to connect to the actual website that he intends to connect and therefore alleviate the possibilities of third parties hijacking the lookup process and redirecting the user to a different site for purposes of account and password collection.
DNSSEC used in conjunction with an SSL certificate and the best VPN will provide an end-to-end watertight security for all your online activities.