Just a guy in Vermont trying to connect all the dots...
Dan York
Author's posts
Oct 04
Are you ready? How to prepare for the DNSSEC Root KSK Rollover on October 11, 2018
Are you ready? Are your systems prepared so that DNS will keep functioning for your networks? One week from today, on Thursday, October 11, 2018, at 16:00 UTC ICANN will change the cryptographic key that is at the center of the DNS security system – what we call DNSSEC. The current key has been in place since July 15, 2010. This is a long-planned replacement.
If everything goes fine, you should not notice and your systems will all work as normal. However, if your DNS resolvers are not ready to use the new key, your users may not be able to reach many websites!
This change of this central security key for DNS is known as the “Root Key Signing Key (KSK) Rollover”. It has been in discussion and planning since 2013. We’ve written many articles about it and spoken about it at many conferences, as have many others in the industry. ICANN has a page with many links and articles at:
But here we are, with only a few days left and you may be wondering – how can I know if my systems are ready?
The good news is that since the Root KSK Rollover was delayed 1 year, most all of the DNS resolver software has been shipping for quite some time with the new key. If you, or your DNS server administrators, have been keeping up with recent updates, you should be all set.
1. Test if you are doing DNSSEC validation
Before you do anything else, you should first check if you are doing DNSSEC validation on your network. As noted in ICANN’s guidance document, go to a command-line / terminal / shell window and type:
dig @<IP of your DNS resolver> dnssec-failed.org a +dnssec
For example, using Google’s Public DNS Server, the command would be:
dig @8.8.8.8 dnssec-failed.org a +dnssec
If the response includes this text:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
then you ARE doing DNSSEC validation and should read the rest of this article.
If the response instead includes:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR
… well, you are NOT doing DNSSEC validation. You can skip the rest of this article, go have a beverage, and not have to worry about the Root KSK Rollover on October 11. However, you should also read up on DNSSEC and understand why you start validating to raise the level of security and trust on your network. (But, at this point, you might as well wait until October 12 to deploy it.)
If you are doing DNSSEC validation, read on.
Two notes:
- Unfortunately if you are not an administrator of your DNS resolvers, there are limited mechanisms to check if you have the new key. There are a couple of possibilities (see #2 and #3a below), but otherwise you will need to contact your DNS administrators / IT team and point them to this blog post and other resources.
- In DNS / DNSSEC circles the root key is also referred to as a “trust anchor”.
2. Try the Sentinel KSK Test
For a small percentage of you reading this, you might be able to use the “sentinel test” that is based on an Internet draft that is in development. You can do so at either of these sites:
Right now there is only one DNS resolver (Unbound) that implements this sentinel test. Hopefully by the time we do the next Root KSK Rollover, some years from now, this will be more widely deployed so that regular users can see if they are protected.
However, for most of us, myself included, we need to go on to other methods…
3a. Check if your DNS resolvers have the new Root KSK installed – via various tools
There are several tests you may be able to perform on your system. ICANN has published a list at:
That document lists the steps for the following DNS resolvers:
- BIND
- Unbound
- PowerDNS Recursor
- Knot Resolver
- Windows Server 2012RS and 2016
- Akamai DNSi Cacheserve
- Infoblox NIOS
For BIND users, ISC2 also provides a focused document: Root KSK Rollover in BIND.
3b. Check if your DNS resolvers have the new Root KSK installed – via specific files
If you have command-line access to your DNS servers, you can look in specific files to see if the new key is installed. The current key (“KSK 2010”) has an ID of 19036. The new key has an ID of 20326. As Paul Wouters wrote in a Red Hat blog post today, these keys can be found in these locations in Red Hat Linux:
- bind – see
/etc/named.root.key - unbound / libunbound – see
/var/lib/unbound/root.key - dnsmasq – see
/usr/share/dnsmasq/trust-anchors.conf - knot-resolver – see
/etc/knot-resolver/root.keys
Look in there for a record with an ID of 20326. If so, you are all set. If not, you need to figure out how to get the new key installed.
Note – these locations here are for Red Hat Linux. Other Linux distributions may use slightly different file locations – the point is that there should be a file somewhere on your system with these keys.
4. Have a backup plan in case there are problems
As Paul notes in his post today, it would be good to have a backup plan in case there are unexpected DNS problems on your network on October 11 and users are not able to resolve addresses via DNS. One suggestion is to temporarily change your systems to give out one of the various sets of “public” DNS servers that are operated by different companies. Some of these include:
| IPv4 | IPv6 | Vendor |
|---|---|---|
| 1.1.1.1 | 2606:4700:4700::1111 | Cloudflare |
| 8.8.8.8 | 2001:4860:4860::8888 | Google DNS |
| 9.9.9.9 | 2620:fe::fe | Quad9 |
| 64.6.64.6 | 2620:74:1b::1:1 | Verisign |
You can switch to one of these resolvers while you sort out the issues with your own systems. Then, once you have your systems correctly configured, you can switch back so that the DNSSEC validation is happening as close to your users as possible (thereby minimizing the potential areas of the network where an attacker could inject malicious DNS traffic).
5. Plan to be around on 11 October 2018 at 16:00 UTC
Finally, don’t schedule a day off on October 11th – you might want to be around and able to monitor your DNS activity on that day. This Root KSK Rollover has been in the works for many years now. It should be a “non-event” in that it will be “just another day on the Internet”. But many of us will be watching whatever statistics we can. And you’ll probably find status updates using the #KeyRoll hashtag on Twitter and other social networks.
The end result of all of this will be the demonstration that we can safely and securely change the cryptographic key at the center of DNS – which allows us to continue improving the level of security and trust we can have in this vital part of the public core of the Internet!
Image credit: Lindsey Turner on Flickr. CC BY 2.0
P.S. This is NOT what the “Root key” looks like!
Acknowledgements: Thanks to Ed Lewis, Paul Hoffman, Paul Wouters, Victoria Risk, Tony Finch, Bert Hubert, Benno Overeinder, Hugo Salgado-Hernández, Carlos Martinez and other members of the dnssec-coord discussion list for the discussion that informed this post.
The post Are you ready? How to prepare for the DNSSEC Root KSK Rollover on October 11, 2018 appeared first on Internet Society.
Sep 18
TDYR 355 – A personal update about my post-cancer recovery
As a follow-up to episode 354, I provide an update about my recovery from surgery and colon cancer....
Sep 17
(No title)
Fascinating to see another billionaire buy a major media property, in this case Time Magazine – https://m.huffpost.com/us/entry/us_5b9efe6fe4b046313fbc441c
Sep 14
Celebrating One Year With Our New Website
It is hard for me to believe, but it was one year ago today that we launched this new website! On September 14, 2017, James Wood began our flow of news with a welcoming blog post – and just a few days later the site was heavily used as part of our massive 25th Anniversary celebration. It was the culmination of a rather insane several months in which a whole crew of people within the Internet Society, as well as at our partners Moving Brands and ATTCK, all burned countless hours to make this site a reality.
One year later, we’ve published over 500 news articles and blog posts; published over 120 new resources and tutorials; promoted many events, and maintained a consistent flow of content on the critical issues affecting the Internet.
We’ve built campaign pages, integrated video and graphics (ex. our GIR page), showcased the amazing work our Chapters are doing, integrated social components (ex. our IoT page and Instagram), and pushed the limits of how many links any sane person should have on a page. I continue to be impressed by the beauty of pages like our Issues page (just move your cursor over the boxes) – or pages like our 2018 Action Plan with all its different rows and backgrounds.
And… it all works great on mobile devices – and we did it all in three languages!
Now, it wasn’t all smooth sailing, of course. As I wrote in some of the posts about our website redesign, we had our share of challenges. We went through three different search solutions until we found a system that worked. We initially had hundreds of thousands of 404 errors while we got redirects in place. We had some serious speed issues that made working on the site … sooooooooo…. incredibly… sssssssssssllllllllllooooooooowwwwwwwww… until we moved to a new hosting provider in June 2018.
But at this point I can say that overall we are definitely pleased with both the front end you see as visitors – and the back end we use to administer the site.
We are NOT done yet!
Launching a site is a long journey. There are still many changes and new features we want to introduce. We have a “timeline” feature we hope to be rolling out soon. We are working on a way to add interactive maps. There are some accessibility issues we still need to address. And we’re always working on increasing speed and providing a better user experience. Plus, we want to see how we can better integrate this main site with a few of our other affiliated sites.
There is a great team of people who have helped make this happen over the past year, and I look forward to working with them and many others to see what we can do with this site over the next year.
Our goal is to deliver on that mission for the site I outlined back in June 2017:
Our website is a driving force in realizing our mission of an open Internet for everyone. It empowers all who care about a free and safe Internet and inspires action to make a positive difference.
It demonstrates our global impact, promotes our point of view, and provides definitive resources on the news, technologies, and policies that shape the Internet – today and tomorrow.
It delivers a focused and engaging experience that connects with a breadth of individuals, organizations and influencers. It extends our reach, supports our community, and grows our membership, creating a foundation for building a stronger Internet.
We want to help you all who are reading this to work with us to help shape the future of an Internet that is open, globally connected and secure.
I welcome any comments and feedback on this site – you can email me at york@isoc.org or leave them on our issue tracker on Github.
Thank you for visiting this site, sharing our information, taking action – and helping us all to #ShapeTomorrow!
The post Celebrating One Year With Our New Website appeared first on Internet Society.
Sep 14
(No title)
Sad to see @Apple killing off its small phones. I’m a very happy iPhone SE user because I LIKE SMALL PHONES! I guess I’ll keep nursing my SE along until I can no longer upgrade it – and then perhaps I’ll.. (gasp!).. look outside Apple’s world for my next small phone 😞
Sep 06
Call for Participation – ICANN DNSSEC Workshop at ICANN63 Barcelona (Featured Blog)
Do you have a great idea about DNSSEC or DANE that you'd like to share with the wider community? If so, and you're planning to be in Barcelona, Spain for ICANN63 in October 2018, submit a proposal to present your idea at the DNSSEC Workshop! Send a brief (1-2 sentence) description of your proposed presentation to dnssec-barcelona@isoc.org by Friday, 07 September 2018. More...
Sep 05
Returning to POSSE – Writing on my own site, THEN on Facebook, Twitter, etc
Over the past few weeks as I’ve been grappling with colon cancer, it has been soooooooooo tempting to just pop open the Facebook app, write a story in the box and press “Share”.
Simple. Easy. Done!
Or inside the Twitter app… or LinkedIn… or… or...
But here’s the problem with that...
All the stories get LOCKED INSIDE A PLATFORM!
They are there living on the platform’s servers, inside the platform’s systems. Maybe they are visible publicly, maybe they aren’t. Maybe they will be around in two years, maybe they won’t. Maybe people will find them, maybe they won’t.
The future of your stories is entirely at the whim of the platform.
As I wrote about on the Internet Society’s blog earlier this year, one of my own guiding principles is “POSSE“, a content publishing model from the “IndieWeb” movement:
Publish on your
Own
Site,
Syndicate
Elsewhere
And so over these past few weeks, I tried really hard to do that with my journey through cancer: the diagnosis, followed by the recovery, followed by the results.
But it’s HARD. It was so insanely tempting yesterday when I got the great news just to pop open Facebook and share it with everyone.
But when I do that… it’s shared ONLY within Facebook’s shiny “walled garden”. It’s not shared with people I know who choose NOT to use Facebook. It’s not shared with the communities I’m in on other social networks.
The “open Web” on top of the “open Internet” is really the only way to do that. But it’s hard. There’s extra steps involved for me right now with the way my various blogs are set up. I want to work to make that easier and simpler… but doing so will take time… which is challenging to find.
But if we don’t find ways to OWN OUR OWN STORIES then they will stay locked away in closed, proprietary walled gardens. And maybe that’s fine for some of those stories. Maybe they are small and mundane… “in the moment” stories that we don’t really care about. But even so, we feed the platforms. We help them to grow.
I’ll keep trying to follow the POSSE rule… and I’ll be writing more here about that.
Image credit: Tom Kelly on Flickr CC BY NC ND
