Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Trending KB Articles

EDNS-and-CDNs.jpg

#5729 - Steps to update the new Root Zone KSK key to prevent potential DNS resolution issues

KSrivatsan
New Member
Posts: 11
KSrivatsan

#5729 - Steps to update the new Root Zone KSK key to prevent potential DNS resolution issues

‎01-10-2019 10:26 AM

In 2016, the Internet Corporation for Assigned Names and Numbers (ICANN) announced a two-year execution plan for rolling over the Root Zone Domain Name System Security Extensions (DNSSEC) KSK key.

 

According to that plan, on October 11, 2017, a new KSK key (KSK-2017) was added to sign the Root Zone DNSKEY resource record set. 

 

The Board of Directors for the ICANN has approved the plans for the root KSK rollover on October 11, 2018, at 4 PM UTC which was successfully implemented.

 

On January 11,2019 the old KSK key (KSK-2010) will be marked as revoked. By marking the old key as revoked, any system that uses RFC 5011 will see that KSK-2010 is no longer valid and will not trust that key in the future. The revocation mark will be visible until 22 March 2019, at which point KSK-2010 will be completely removed from the root zone forever.

 

Since only the KSK-2017 key is used for signing the root zone's key set starting October 11, 2018, no DNS service impact is expected.

 

Rolling over the KSK key means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers. This includes: Internet Service Providers; enterprise network administrators and other Domain Name System (DNS) resolver operators; DNS resolver software developers; system integrators; and hardware and software distributors who install or ship the root's "trust anchor." The KSK is used to cryptographically sign the Zone Signing Key (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root zone of the Internet’s DNS.

 

Maintaining an up-to-date KSK is essential to ensuring DNSSEC-validating DNS resolvers continue to function following the rollover. Failure to have the current root zone KSK will mean that DNSSEC-validating DNS resolvers will be unable to resolve DNS queries, which would lead to an outage.

 

Currently, Infoblox NIOS does not support the “Automated Updates of DNS Security (DNSSEC) Trust Anchors” feature (RFC-5011) which would automatically update the key. Therefore, the new Root Zone KSK key must be added in one of two ways: either manually or through the provided hotfix binary.

 

Please refer to Infoblox Support KB # 5729 for the steps to update the new Root Zone KSK key to prevent potential DNS resolution issues.

0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: