NordVPN Promotion

Home / Blogs

A Great Collaborative Effort: Increasing the Strength of the Zone Signing Key for the Root Zone

A few weeks ago, on Oct. 1, 2016, Verisign successfully doubled the size of the cryptographic key that generates Domain Name System Security Extensions (DNSSEC) signatures for the internet’s root zone. With this change, root zone Domain Name System (DNS) responses can be fully validated using 2048-bit RSA keys. This project involved work by numerous people within Verisign, as well as collaborations with the Internet Corporation for Assigned Names and Numbers (ICANN), Internet Assigned Numbers Authority (IANA) and National Telecommunications and Information Administration (NTIA).

As I mentioned in my previous blog post, the root zone originally used a 1024-bit RSA key for zone signing. In recent years the internet community transitioned away from keys of this size for SSL and there has been pressure to also move away from 1024-bit RSA keys for DNSSEC. Internally, we began discussing the root Zone Signing Key (ZSK) length increase in 2014. However, another important root zone change was looming on the horizon: changing the Key Signing Key (KSK).

In early 2015, ICANN assembled a design team tasked with making recommendations about changing the root zone KSK. As the design team wrapped up its work and delivered its report, it became clear that we could either work quickly to increase the ZSK in 2016 before the KSK rollover, or wait until some date in 2018 after the KSK rollover.

At the Root KSK Ceremony in May of this year, Verisign presented the first 2048-bit ZSK for signing, which was pre-published in the root zone on Sept. 20, 2016. Then, at the ceremony in August, we presented the next set of ZSKs to be signed, which will be used from October through December. On Oct. 1, 2016 we began publishing root zones signed with the larger ZSK.

A Look at the Data

During these two important milestones we collected data with the assistance of our root server operator colleagues. With this data we can observe the rates of DNSKEY queries, UDP truncation, TCP-based queries, as well as ICMP “need to fragment” and “fragment reassembly time exceeded” signalling (see Figure 1). We’ve been closely watching this data for any evidence of problems related to the larger ZSK, and I’m happy to say that none has been found and no problems have been reported.

Figure 1: Rate of ICMP “Unreachable Need to Fragment” Messages
(Click to Enlarge)

Apart from the increased level of security provided to internet users by the larger ZSK, the parties most affected by this change are the root operators. On Oct. 1, the size of the root zone file jumped from 1.6 to 2.1 MB. Furthermore, due to the high percentage of queries requesting DNSSEC records, all root servers experienced a sudden 30 percent increase in outgoing bandwidth (see Figure 2).

Figure 2: Change in Average UDP Response Size
Upon publishing the root zone signed with a 2048-bit ZSK
(Click to Enlarge)

Thanks for a Smooth Implementation

I would again like to thank everyone who made this important change possible, especially those who we worked closely with at IANA (now Public Technical Identifiers), ICANN and NTIA. The root server operators played a crucial role and we appreciate their support and cooperation. Lastly, various DNS experts were also helpful in providing suggestions, criticisms and kudos throughout the process.

Although we feel confident that the ZSK length change occurred without any negative impacts, we encourage everyone to remain vigilant and report any potential issues to Verisign at [email protected].

On to the KSK Rollover…

Now that the ZSK length change is complete, we look forward to continued collaboration with ICANN on the KSK rollover. If you’ve had a chance to read their plans and documentation, you know that the KSK rollover timeline is longer and more complex, primarily because it involves updating trust anchors used by DNSSEC validators. We encourage everyone to follow this activity closely as it progresses during 2017.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Duane Wessels, Fellow at Verisign

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion