ICANN to replace Internet Domain Name System (DNS) encryption keys for first time

Recently, David Conrad, Chief Technology Officer (CTO) of the Internet Corporation for Assigned Names and Numbers (ICANN), said in an interview in Beijing that ICANN will replace the key encryption key (KSK) that maintains the root zone of the Internet Domain Name System (DNS) for the first time, and has developed a process to manually replace it with a new key before Universal Coordinated Time.

The purpose of CTO Conrad's visit to Beijing was to communicate with local stakeholders and technical communities, share ICANN's technical responsibilities in the domain name ecosystem, better understand China's latest progress in Internet technology, and explore cooperation with the Chinese Internet community in the field of technology. He visited the competent authorities, the domain name industry, universities and academic research institutions, and leading Internet companies.

“Internet service providers and network operators around the world should ensure they are ready for the key change. Otherwise, their users will not be able to look up domain names or access any Internet site,” said David Conrad. “Network operators should ensure they have the latest software, have deployed DNSSEC, and have verified their systems can automatically change keys or have a process in place to manually change to the new keys by 16:00 UTC on 11 October 2017,” he added.

It is reported that the replacement of keys, also known as "rollover", is an important part of maintaining the security and stability of the global DNS. This is very similar to the generally accepted operational practice of ensuring that important security infrastructure can support password replacement when necessary.

Regarding the background of this encryption key replacement, Luo Jiarong, general manager of ICANN Asia Pacific Operations Center, said that in recent years, there have been many large-scale network security incidents on the Internet. In order to improve the security of the Domain Name System (DNS) and protect DNS servers from distributed denial of service (DDOS) attacks, the more secure DNSSEC protocol is promoted and deployed.

DNSSEC is the abbreviation of DNS Security Extensions. DNSSEC improves the security of DNS by introducing public key cryptography into the DNS hierarchy to generate an open global public key infrastructure (PKI) for domain names. The advantage of DNSSEC is that it can prevent secret tampering through digital signatures, ensure the security of domain name queries, and thus resist possible attacks. For example, redirecting end users to fake websites or malicious websites to collect passwords will affect all physical users, which is usually called cache infection virus. Preventing cache infection virus is one of the main advantages of DNSSEC.

"We have launched a test bed to ensure that network operators can be sure they are fully prepared for the key roll before October 11," Conrad said.

Liu Yue, executive director of the Internet Governance Research Center of the China Academy of Information and Communications Technology and chairman of the Internet sector, told reporters that in recent years, the number of domain name registrations for new generic top-level domains in the Chinese market has increased rapidly, accounting for about 50% of the global new generic top-level domain market. At present, China is a leader in the field of new generic top-level domains, ranking second in the world in terms of total domain name registrations and new domain name registrations, but the application level of domain names is still relatively low, and there are huge risks in the system security of important domain names.

According to the data provided by the "2015 Domain Name Industry Development Report", "more than 60% of domain names related to national economy and people's livelihood have security issues, which need to be paid high attention." Liu Yue said that during David Conrad's visit to Beijing, China Academy of Information and Communications Technology and ICANN exchanged views on issues such as DNS security and stability, and the two sides, as partners of each other, will continue to cooperate in this field.

It is also understood that ICANN President and CEO Göran Marby has also written to more than 170 government officials (including regulators and participants in ICANN's Government Advisory Committee), asking them to require network operators in their respective countries to understand the key rollover and prepare for it.