|
ICANN just recently performed a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) Rollover. The recent KSK Rollover that took place on the 11th October 2018. The KSK Rollover has been successful and congratulations are in order.
The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy. The KSK is a cryptographic public-private key pair:
As with passwords, the cryptographic keys used in DNSSEC-signing DNS data should be changed periodically. This ensures infrastructure can support key change in case of emergency. This type of change has never before occurred at the root level. There has been one functional, operational Root Zone DNSSEC KSK since 2010.
However there is an aspect though of the Rollover that concerns cyber security that merits discussion in the wake of vulnerabilities, and protection of privacy deserves discussion.
Given the history of Surveillance orders both domestic within the US and foreign that have passed through the United States Foreign Intelligence Courts where telephone call records and metadata have been submitted on a daily basis, what guarantee is there that surveillance is not being done from the root zone level.
We have over the last decade seen the vulnerabilities such as the Elliptic Curve Cryptography (ECC) where the NSA has a significant advantage in breaking the ECC (Schneier, 2013).
The Root Zone KSK Rollover Plan Design (RSPK) Team Report March 7, 2016 (ICANN, 2016) stated that the RSPK Design Team considered the question of whether there were sufficiently compelling grounds to consider a change in key size or algorithm for the KSK. The RSPK Design Team found no compelling ground to consider a key size or algorithm for the KSK.
The Team noted that a compelling reason might stem from questions regarding the cryptographic strength of the chosen key size or algorithm.
With the initial publication of SP 800-57, “Recommendation for Key Management, Part 1,” in 2005, the US National Institute of Standards and Technology (NIST) announced the intent to raise minimum cryptographic strengths.
Two Options that the RSPK Design Team identified were the 2048-bit Asymmetric RSA key that the Design Team says would be safe to use for another 5 years, with the other algorithm option available for DNSSEC is the Elliptical Curve Digital Signature Algorithm (ECDSA) that is defined in RFC 6605.
The US National Security Agency, which comes under US Department of Defense came under the public spotlight when in June 2013, Snowden exposed the extent of surveillance communication. The New York Times (Savage, Wyatt, 2013) reported that the NSA was collecting telephone records of tens of millions of Americans.
A secret court order that was published by the Guardian (2013) signed by Judge Roger Vinson of the United States Foreign Intelligence Surveillance Court applied by the Federal Bureau for Investigation ordering Verizon Business Network Services to produce all call detail records and telephone metadata created by Verizon for communications between the United States and abroad; or wholly within the United States including local telephone calls on an ongoing daily basis revealed the extent of the surveillance.
The NSA Surveillance reforms, described as the most significant surveillance reforms since 1978, which Congress and Senate passed in the form of the USA Freedom Act was the direct result of the pressure of Snowden’s revelations. The Freedom Act establishes a de facto privacy advocate to argue against the government on behalf of certain privacy rights. In 2015, an independent analysis of 225 terrorism cases in the US concluded that the NSA’s collection of phone records had no distinguishable impact on preventing acts of terrorism.
Ensuring security and stability within the internet ecosystem is essential for fostering trust in the digital space so that people can feel sufficiently safe online. Stakeholders within the internet ecosystem need to be able to establish mechanisms to increase trust within the ecosystem rooted in the public interest.
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
For my part I’d go with the highest-strength key size available regardless of whether there’s a good reason proposed or not. Reasoning: the root KSK is the single point of failure for the whole DNSSEC system and the single biggest target. As long as it’s secure other compromises can be recovered from, but if it’s compromised everything’s compromised. Plus of course nothing else in the DNSSEC tree can be any more secure than it and it’s the least-often-used key in the entire tree. All that points to making it as tough as possible without exceeding size limitations in the DNS protocol.