Cipher keys and padlock with keys symbolizing encryption

ICANN Changing the DNS Root Crypto Keys Today

At 1600 UTC today (1700 Dublin time) ICANN will be doing a “key rollover” of the DNS root.

What that means in plain English (and I’m really really simplifying this)  is that the underlying DNS root infrastructure that runs all domains around the world is getting an “oil change”.

It won’t impact most internet users. In fact it’s highly unlikely that you’ll even notice that this has happened.

However if your ISP is running old, out of date or badly configured software on their DNS resolvers then you might have problems.

This video from ICANN tries to explain what is going on:

Here at Blacknight we run both recursive DNS servers and authoritative ones. The DNS servers that you see associated with your domain name(s) are “authoritative”. That means that they hold *the* information about where your domain and its associated services (records) should be pointed. When somebody visits your website, for example, their ISP will check against our DNS servers to see which server(s) they should send the visitor to.

Resolvers, however, are a little bit different. They sit on our network, and the networks of every ISP and network operator out there and, in simple terms, help users reach services ie. they check against the authoritative DNS servers to see where they should send traffic and users.

Still with me?

DNSSEC is an extension to standard DNS which works by adding a “signature” to DNS records, so that when a user accesses something their ISP is confident that they are sending them to the right place. And of course it would be completely pointless adding signatures to an individual domain name’s records if the rest of the chain wasn’t equally secured..

So what is happening today is that the cryptographic keys at the very top of the chain are being updated – a bit like the way you’d give your car a regular oil change or update your password.

Hopefully most internet users won’t be impacted, but as this is the first time that the keys are updated it’s really impossible to know for sure. Some estimates put the number of impacted users at about 0.01% of the global internet population. That’s a tiny percentage, but still a huge number!

If you do have issues please contact your ISP ie. the company you use for your internet connection. That usually won’t be us! 🙂

, , , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.