Finally tomorrow, October 11th at midnight, "Root Zone KSK Rollover" doesn't have to be overly afraid !?

Finally tomorrow, October 11th at midnight, "Root Zone KSK Rollover" doesn't have to be overly afraid !?

"Root zone KSK rollover" is one of the work related to the operation of "DNSSEC (DNS Security Extensions)" which is a security extension function of DNS (Domain Name System). Literally, the DNSSEC key used in the root zone. Updating (rolling over) the signing key (KSK) to a new one. DNSSEC requires key updates to maintain high security, and this is the first work since the start of DNSSEC operation in the root zone.

DNSSEC is building a chain of trust between parents and children using digital signature technology. As shown in Fig. 1, two types of keys called key signing key (KSK) and zone signing key (ZSK) are used in each zone, and by registering the DS resource record corresponding to KSK in the parent zone, the parent and child A chain of trust between them is built.

Figure 1 Trust chain in DNSSEC

いよいよ明日10月11日深夜に実施、「ルートゾーンKSKロールオーバー」は過度に恐れる必要は無い!?(普段からきちんと管理されているネットワークであれば)

When updating a KSK other than the root zone, it is necessary to update the DS resource record of the corresponding parent zone. These can be done by the administrator of the authoritative DNS server for each zone.

However, the root zone is located at the top of the DNS hierarchy and there is no parent zone. Therefore, when updating the KSK of the root zone, it is necessary to update the corresponding "trust anchor" on the full resolver (cache DNS server) side. The trust anchor is the starting point of trust in DNSSEC and must be set for all full resolvers that have DNSSEC validation enabled.

In other words, the root zone KSK rollover requires work for ICANN, which manages the root zone, and full resolver administrators who have DNSSEC validation enabled around the world.

How many full resolvers around the world have DNSSEC validation enabled? Readers may think, "I don't think there are too many." However, major public DNS services such as Comcast and Google Public DNS, the largest ISPs in the United States, have DNSSEC verification enabled, and ICANN estimates that there are 750 million of these users worldwide. [* 1]. These users may be affected by the root zone KSK rollover.

[* 1] …… ICANN Launches Testing Platform for the KSK Rollover

Category

Hot Articles

With Fire HD 8, you can listen to music with LDAC and watch online videos in HD quality! 6980 yen at Amazon Time Sale Festival 11/03/2022
What makes a gaming router different from a regular Wi-Fi router?I compared the points 10/03/2022
You can also play PS5 at 4K / 120Hz! Gaming monitor "MSI Optix MPG321UR-QD" which is 32 type and has all the functions 04/04/2022
If you want a tablet "somehow", buy the Fire HD 10 series on Amazon. I'm sure most people are very satisfied with this! 10/04/2022
DIE VORTEILE EINES ERNEUERUNGSKONSOLENPLANS 18/08/2022
Renault launches new SUV "Arkana" equipped with original hybrid on May 26 Price is 4.29 million yen 07/04/2022
"FFXIV" patch 5.2 "Recollection of the evil star", scheduled to be implemented in mid-February 2020 27/04/2022
What is the plan that can be used at "maximum 1 Mbps" even at low speeds?Compare by sub-brand, online only, MVNO 04/04/2022

Tags