DNSSEC key rollover imminent

by Michael Tremer, September 9, 2018

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

ICANN will roll over the DNSSEC key signing key of the DNS root zone. All resolvers need to be updated so that DNS resolution will work after October 11, 2018 or no DNS entries can be resolved any more.

What do I need to do?

We have known about this key rollover for a long time and placed an automatic job that keeps the key up to date. But just to be sure, we are sending you this announcement.

IPFire needs to be at least on Core Update 106 or newer to have unbound, our new DNS proxy. No manual action is required.

What does this mean?

DNSSEC is used to verify DNS responses from any name server. With those signatures, anyone can trust that the DNS reply that was received was not forged and is the correct one to reach the web server of your bank and not somebody else.

Those signatures are generated from keys that are organised in a hierarchy starting from the DNS root zone . down to for example www.ipfire.org. Since nobody can hold all keys for all possible domains, signatures of those keys are put into the higher level of the hierarchy and signed again. But reaching the highest level, there is no higher authority available anymore. Therefore, every system that is using DNSSEC has a copy of the root key stored. Now, this key is being changed.

To repeat the most important part again: DNS resolution won’t be possible when recent updates have not been installed.

For the nerds

If you want to check if your system has already imported the new key, you can run the following command:

[root@ipfire ~]# dig @localhost trustanchor.unbound -c CH -t TXT

; <<>> DiG 9.11.3 <<>> @localhost trustanchor.unbound -c CH -t TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29040
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;trustanchor.unbound.		CH	TXT

;; ANSWER SECTION:
trustanchor.unbound.	0	CH	TXT	". 19036 20326"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 09 17:00:20 BST 2018
;; MSG SIZE  rcvd: 74

The output should show you two keys with ID 19036 and 20326.

ICANN is also presenting more information about checking if you have recent keys.