The Internet Corporation for Assigned Names and Numbers (ICANN) next month will make the first-ever revision of the Root Zone Signing Key, the cryptographic key pair that underlies the trust of the Domain Name System (DNS).
DNS converts domain names into numerical Internet Protocol addresses, which gives rise to the problem of DNS cache poisoning or DNS spoofing. Many domains attempt to mitigate these vulnerabilities via DNS Security Extensions (DNSSEC), in which cryptographic keys authenticate that DNS data is coming from the correct point of origin.
ICANN manages the top-level DNS root zone, and each entity in this hierarchy has its own keys for generating signatures, and must sign the key of the entity below it.
"ICANN wants to be very transparent in the operation of [the Root Zone Signing Key] because it's important that the community trusts it," says Matt Larson, ICANN's vice president of research.
Internet Architecture Board chair Andrew Sullivan thinks the possibility exists the key has been cracked without ICANN knowing, and changing it is a sensible idea in the same way passwords should be changed every so often. Security researcher Dan Kaminsky agrees, noting the key's enlargement from 1,024 bits up to 2,048 is another imperative.
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA