Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

#5672: Key signing key for the root zone scheduled to change on October 11, 2017

New Member

Posts: 46

#5672: Key signing key for the root zone scheduled to change on October 11, 2017

- edited

This KB is intended for customers that already have DNSSEC validation configured and working

How to check whether DNSSEC validation is enabled?

Login to NIOS GUI
Navigate to Data Management>DNS>Click on 'Grid DNS Properties' from Toolbar>Toggle Advanced Mode>Select 'DNSSEC'>Scroll down and verify whether 'Enable DNSSEC validation' is selected and whether root zone's public key is configured in the 'Trust Anchors' section.

If the configuration is at the member level, then navigate to Data Management>DNS>Members/Servers>Select the DNS server>Click on 'Edit'>Toggle Advanced Mode>Select 'DNSSEC'>Scroll down and verify whether 'Enable DNSSEC validation' is selected and whether root zone's public key is configured in the 'Trust Anchors' section.

DNSSEC validation is not enabled if 'Enable DNSSEC validation' is selected without the 'Trust Anchors' configuration. If you want to configure DNSSEC validation now, in addition to the new KSK, also add the old root KSK (KSK-2010) until October 11 2017.

Timeline in UTC

October 27, 2016: New KSK is generated.
February 2, 2017: New key published
July 11, 2017: Publication of new KSK in DNS.
September 19, 2017: Size increase for DNSKEY response from root name servers.
October 11, 2017: New KSK begins to sign the root zone DNSKEY resource record set (the actual rollover event).
January 11, 2018: Revocation of old KSK.
March 22, 2018: Last day the old KSK appears in the root zone.
August 2018: Old key is deleted from equipment in both ICANN Key Management Facilities.

What needs to be done on NIOS resolvers configured to do DNSSEC validation?

Add the new key (KSK-2017) as trust anchor before October 11, 2017. Do not remove the old KSK (KSK-2010) from the Trust Anchor configuration before October 11, 2017 since the DNSKEY RRSET signature is based on the currently key until October 11, 2017. It is safe to retain the old key (KSK-2010) in the Trust Anchor configuration until ICANN revokes it. This would help in case the changes are backed out. The new key (KSK-2017) can be added in addition to the current key (KSK-2010) as Trust Anchor. For more details on the KSK rollover project please visit https://www.icann.org/resources/pages/ksk-rollover

What is the impact if the Trust Anchor is not configured with the new root KSK?

DNS resolution will fail for all signed and un-signed zones if the new root key is not added as Trust Anchor before October 11, 2017. On October 11,2017, the root zone's DNSKEY RRSET will only carry signature generated based on the new key (KSK-2017). DNSSEC validating resolvers configured only with the old key (KSK-2010) will fail to validate the new signatures for the root's DNSKEY resource record set.

How to add the new root key as Trust Anchor in NIOS?

Login to NIOS GUI
Navigate to Data Management>DNS>Click on 'Grid DNS Properties' from Toolbar>Toggle Advanced Mode>Select 'DNSSEC'>Scroll down to 'Trust Anchors'>Click on the 'Add' button and enter the key details
The zone will be '.', algorithm will be 'RSA/SHA-256(8)' and paste the key in the 'Public Key' column.
If the configuration is at the member level, then navigate to Data Management>DNS>Members/Servers>Select the DNS server>Click on 'Edit'>Toggle Advanced Mode>Select 'DNSSEC'>Scroll down to 'Trust Anchors'>Click on the 'Add' button
The zone will be '.', algorithm will be 'RSA/SHA-256(8)' and paste the key in the 'Public Key' column.

Key ID and public key string for the new root KSK

Key ID -> 20326

Copy and paste the string below into the ‘Public Key’ column while configuring the Trust Anchor.

AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=

How to find the public key for root zone using dig?

1)     Do ‘dig @a.root-servers.net . dnskey +comments +multi’
2)     Look for the DNSKEY record with key id = 20326. DNSKEY record with key ID 20326 will be added only on July 11, 2017.
3)     Select the value between brackets which is the public key