Home / Blogs

KSK Rollover, Elliptical Curve Vulnerabilities, Surveillance and Privacy. Are We Building Trust?

ICANN just recently performed a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) Rollover. The recent KSK Rollover that took place on the 11th October 2018. The KSK Rollover has been successful and congratulations are in order.

The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy. The KSK is a cryptographic public-private key pair:

  • Public part: trusted starting point for DNSSEC validation
  • Private part: signs the Zone Signing Key (ZSK)
  • Builds a “chain of trust” of successive keys and signatures to validate the authenticity of any DNSSEC signed data

As with passwords, the cryptographic keys used in DNSSEC-signing DNS data should be changed periodically. This ensures infrastructure can support key change in case of emergency. This type of change has never before occurred at the root level. There has been one functional, operational Root Zone DNSSEC KSK since 2010.

However there is an aspect though of the Rollover that concerns cyber security that merits discussion in the wake of vulnerabilities, and protection of privacy deserves discussion.

Given the history of Surveillance orders both domestic within the US and foreign that have passed through the United States Foreign Intelligence Courts where telephone call records and metadata have been submitted on a daily basis, what guarantee is there that surveillance is not being done from the root zone level.

We have over the last decade seen the vulnerabilities such as the Elliptic Curve Cryptography (ECC) where the NSA has a significant advantage in breaking the ECC (Schneier, 2013).

The Root Zone KSK Rollover Plan Design (RSPK) Team Report March 7, 2016 (ICANN, 2016) stated that the RSPK Design Team considered the question of whether there were sufficiently compelling grounds to consider a change in key size or algorithm for the KSK. The RSPK Design Team found no compelling ground to consider a key size or algorithm for the KSK.

The Team noted that a compelling reason might stem from questions regarding the cryptographic strength of the chosen key size or algorithm.

With the initial publication of SP 800-57, “Recommendation for Key Management, Part 1,” in 2005, the US National Institute of Standards and Technology (NIST) announced the intent to raise minimum cryptographic strengths.

Two Options that the RSPK Design Team identified were the 2048-bit Asymmetric RSA key that the Design Team says would be safe to use for another 5 years, with the other algorithm option available for DNSSEC is the Elliptical Curve Digital Signature Algorithm (ECDSA) that is defined in RFC 6605.

The US National Security Agency, which comes under US Department of Defense came under the public spotlight when in June 2013, Snowden exposed the extent of surveillance communication. The New York Times (Savage, Wyatt, 2013) reported that the NSA was collecting telephone records of tens of millions of Americans.

A secret court order that was published by the Guardian (2013) signed by Judge Roger Vinson of the United States Foreign Intelligence Surveillance Court applied by the Federal Bureau for Investigation ordering Verizon Business Network Services to produce all call detail records and telephone metadata created by Verizon for communications between the United States and abroad; or wholly within the United States including local telephone calls on an ongoing daily basis revealed the extent of the surveillance.

The NSA Surveillance reforms, described as the most significant surveillance reforms since 1978, which Congress and Senate passed in the form of the USA Freedom Act was the direct result of the pressure of Snowden’s revelations. The Freedom Act establishes a de facto privacy advocate to argue against the government on behalf of certain privacy rights. In 2015, an independent analysis of 225 terrorism cases in the US concluded that the NSA’s collection of phone records had no distinguishable impact on preventing acts of terrorism.

Ensuring security and stability within the internet ecosystem is essential for fostering trust in the digital space so that people can feel sufficiently safe online. Stakeholders within the internet ecosystem need to be able to establish mechanisms to increase trust within the ecosystem rooted in the public interest.

Filed Under


For my part I'd go with the Todd Knarr  –  Oct 14, 2018 4:03 PM

For my part I’d go with the highest-strength key size available regardless of whether there’s a good reason proposed or not. Reasoning: the root KSK is the single point of failure for the whole DNSSEC system and the single biggest target. As long as it’s secure other compromises can be recovered from, but if it’s compromised everything’s compromised. Plus of course nothing else in the DNSSEC tree can be any more secure than it and it’s the least-often-used key in the entire tree. All that points to making it as tough as possible without exceeding size limitations in the DNS protocol.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix