The Internet Corporation of Assigned Names and Numbers (ICANN) recently approved plans to change the cryptographic key which protects the Domain Name System (DNS).

This will be the first time the key signing key (KSK) for the DNS will be changed following its implementation in 2010, and will take place on 11 October 2018.

“Rolling” the KSK refers to generating a new cryptographic public and private key pair and distributing the new KSK to those who operate DNS resolvers.

This root key is used to cryptographically sign another key, which in turn is used by the Root Zone maintainer to DNSSEC-sign the root zone of the Internet’s DNS.

This is not the last DNS root key change, as the key will continue to be “rolled” regularly to improve security.

It is crucial for the operators of DNS resolvers to prepare for the change, otherwise they will be unable to resolve any DNS queries from Internet users.

According to ICANN’s data analysis however, more than 99% of users whose resolvers are validating will be unaffected by the KSK rollover.

“There is no way of completely assuring that every network operator will have their resolvers properly configured, yet if things go as anticipated, we expect the vast majority to have access to the root zone,” said ICANN board chair Cherine Chalaby.

To ensure that South Africans will fall within this unaffected group, MyBroadband spoke to local ISPs about whether they were prepared for the upcoming DNS key change.

Internet Service Providers

MyBroadband asked individual ISPs whether they were prepared for the DNS root key rollover, but many did not respond to requests for comment.

However, Internet service providers usually rely on backbone providers such as Internet Solutions or Openserve/Telkom to deliver these DNS services.

Webafrica confirmed to MyBroadband that its DNS resolver services are handled through Internet Solutions, as it uses the company for its backbone.

We therefore reached out to Internet Solutions and Telkom to determine whether the company was prepared for the DNS key change.

Internet Solutions

IS told MyBroadband that it runs DNSSEC with managed keys on servers where the security standard is in place.

“Internet Solutions runs DNSSEC with managed-keys on those servers which have DNSSEC enabled,” the company said.

“This means that when the key changes are published, our instances are able to acquire the new key automatically.”

While this essentially removes the risk of any issue with the key change, IS is ensuring that all of its DNS resolvers are properly configured.

“Our engineers are validating and testing the configuration on all DNS servers to ensure that clients are not impacted when the new root KSK is published,” Internet Solutions said.

“In the event of any unforeseen issues, the existing KSK is still valid until the proposed date for revocation of 11 January 2019.”

Telkom

Telkom is responsible for the configuration of the DNS systems on both the South African Internet Exchange (SAIX) and its own ISP DNS resolvers.

The company said its systems have been updated for the key change and it will monitor its DNS environments during the switch.

“Telkom’s DNS systems have been updated with the new keys, both on SAIX and Telkom Internet,” a Telkom spokesperson told MyBroadband.

“We will closely monitor during the implementation window to ensure there is no customer impact.”

Now read: ICANN approves plan to change DNS root key