ICANN Sets Plan To Reinforce Internet DNS Security

coondoggie shares a report: In a few months, the internet will be a more secure place. That's because the Internet Corporation for Assigned Names and Numbers (ICANN) has voted to go ahead with the first-ever changing of the cryptographic key that helps protect the internet's address book -- the Domain Name System (DNS). The ICANN Board at its meeting in Belgium this week, decided to proceed with its plans to change or "roll" the key for the DNS root on Oct. 11, 2018. It will mark the first time the key has been changed since it was first put in place in 2010. During its meeting ICANN spelled out the driving forces behind the need for improved DNS security that the rollover will bring. For example, the continued evolution of Internet technologies and facilities, and deployment of IoT devices and increased capacity of networks all over the world, coupled with the unfortunate lack of sufficient security in those devices and networks, attackers have increasing power to cripple Internet infrastructure, ICANN stated.

"Specifically, the growth in attack capacity risks outstripping the ability of the root server operator community to expand defensive capacity. While it remains necessary to continue to expand defensive capacity in the near-term, the long-term outlook for the traditional approach appears bleak," ICANN stated. The KSK rollover means generating a new cryptographic public and private key pair and distributing the new public component to parties who operate validating resolvers, according to ICANN. Such resolvers run software that converts typical addresses like networkworld.com into IP network addresses. Resolvers include: internet service providers, enterprise network administrators and other DNS resolver operators, DNS resolver software developers; system integrators, and hardware and software distributors who install or ship the root's "trust anchor," ICANN said.

As a side effect, centralizing a decentralized net

[Anonymous Coward]

And CAs are going to run this madhouse. Brilliant!

Re:

[Bengie]

You can choose to not validate. It's a fundamental issue that there have to be an authority of some sort if you want to validate against an authority.

Re:

[Anonymous Coward]

It's a key rollover event

https://www.icann.org/resources/pages/ksk-rollover [icann.org]

Re:

[Anonymous Coward]

ICANN used "roll" in their press release. https://www.icann.org/resources/press-material/release-2018-09-18-en

Feel free to check the source material before you try and correct the author.

Read the RFC (was Re:"rotate" the key)

[Anonymous Coward]

The professional response is: Right or wrong, RFC 5011, section 6.3 [ietf.org] uses the term 'roll'

Stopping to your level, the response is: read the RFCs before you write your next comment.

Roll over

[shayd2]

Play dead

Good dog

ICANN can go to hell

[damn_registrars]

They continue to do what is best for profit, not what is best for users. Sure, this is important but don't think it isn't being driven by profit. At least there is some user benefit to this though, as opposed to their catastrophically awful decision years back to start selling gTLDs.

Re:

[Pascoea]

I'm curious what your opposition to gTLDs are? Genuinely asking, not trying to be a smart-ass.

Re:

[damn_registrars]

My opposition to it is that when someone buys a gTLD they become their own registration authority for all domains in that domain and they set what kind of contact information is required for registrants in that range. This makes it the ultimate spammer's (or spamvertised domain owner's) harbor as it can completely remove liability and responsibility. The owner of the gTLD also has authority to hand out arbitrary numbers of domains at their own whim, again making it trivially easy for spammers to bounce ar

Re:

[thegarbz]

And we cannot filter our way out of this, either.

Block the gTLD. Seriously how often have you legimitely needed to access to a TLD. Nike own .nike, but frankly I don't even know how to access the damn thing.

Re:

[damn_registrars]

And we cannot filter our way out of this, either.

Block the gTLD.

You're just playing whac-a-mole then. The spammers can buy as many gTLDs as they want and essentially there are no restrictions on what they can be. Block one and another will come up. And how do you propose blocking it anyways? The emails will come from regular domains but they are spamming for domains in new gTLDs, using obfuscated domain names so you can't pick up on it easily. You can't detect a new gTLD in an email if it isn't in there and you probably don't want to block every email with a bit.l

Re:

[thegarbz]

No I didn't mean block a specific one. I meant block the gTLDs that are being generated or rather the reverse Whitelist the country TLDs. I legitimately believe if you do that nothing will break anywhere.

At least not yet. No doubt Google will screw this idea up so we need to get in before they start making things dependent on their TLD.

Re:

[damn_registrars]

No I didn't mean block a specific one. I meant block the gTLDs that are being generated or rather the reverse Whitelist the country TLDs. I legitimately believe if you do that nothing will break anywhere.

It won't break anything but I doubt it will accomplish what you're after. They will send the spam from a domain that isn't in the spamvertised gTLD (to reduce the chance of detection). Inside the spam will be a link that is obfuscated to look like a traditional .com link. Filtering by new gTLDs - or whitelisting to ignore all of them so you don't need to build a blacklist - won't get rid of those.

Re:

[thegarbz]

But if you can't eliminate them by whitelisting country TLDs then surely the resulting problem wasn't caused by TLDs in the first place ... Or am I not understanding your example?

Re:

[damn_registrars]

My complaint here - and I may have wandered a bit away from it - is that there is no avenue to follow to take action against spamming and spamvertised domains if they are registered under new gTLDs. The reason for this is that the owners of the top of the new gTLDs don't have any obligation to follow any kind of registration rules for domains in their gTLDs, they can freely take invalid or even empty registration information.

Now, of course we know that many times if you contact a registrar (or registra

Re:

[damn_registrars]

Looking at my reply again, I apologize if it looks like I was trying to come down hard on you, that was not my intention. The emphasis was largely due to the fact that slashdot discussions get closed after a certainly amount of time - and total reader attention (in terms of people reading the discussion) declines quickly as articles fall off the front page as well. I just wanted to make my point more clear since it seemed I had neglected to emphasize it earlier.

Re:

[thegarbz]

No probs. I didn't reply in general because I didn't have anything more to say on the topic.

You're absolutely right, this closes off a lot of legal avenues to get at spammers and whitelisting domains only solves the problems directly for the receiver of said spam.

Re:

[AmiMoJo]

GDPR limits what information a whois database can record about domain owners anyway. DNS records are not the right tool for this.

Re:

[damn_registrars]

The WHOIS database is supposed to have valid contact information (even if obfuscated) for a domain so that it can be contacted in cases of abuse. With the sale of gTLDs that all goes out the window, gTLD owners can put - or omit - whatever they want in that record. Now there is no way to contact a domain owner, and no way to start a paper trail showing that you attempted to contact them. It was hard enough to do anything against prolific spammers (and owners of prolifically spamvertised domains) but now

Re:

[damn_registrars]

I also wrote about this in a journal entry back in 2015 when they made the terrible decision to start selling gTLDs [slashdot.org] , though of course nobody cared then either. I'm pretty sure folks here on drugedot just called me a damned communist at the time, for getting in the way of profit or something. Now they just call me a damned communist anytime I say anything at all.

How to check you're ready for the KSK rollover:

[Anonymous Coward]

https://www.icann.org/dns-resolvers-checking-current-trust-anchors [icann.org]

The whole idea of the Certificate Authority sucks

[Seven Spirals]

One big lying corporate wingtip asshole company says that this other big lying corporate group of sons-of-bitches (and regular bitches) is to be trusted! Oh? Really? Guys, I gotta say, the whole premise of crypto-CAs is kinda stupid as long as the asshats corporations are all policing each other. Maybe *they* have some faith in that shit, but as an individual technologist (that hates corporations and corporate personhood) I have to say that the flaws in x509 crypto isn't crypto - it's the source of trust. D

Re:

[Seven Spirals]

How about a system that's based on individual trust of people? Ie.. If I trust two friends and both of them say that this non-profit 501c is at least trustworthy enough to believe their website, they cryto-sign something to that affect publically? This is similar to PGP/GPG's web-of-trust. Sure, there are still some logistics problems with that, but at least it puts the trust in people not companies.

Re:

[WindBourne]

Actually, I am pushing my CONgress critter to understand that we need VETTED Certificates/PPK. The only way to do that is to have brick/mortars that will vet an ID, and then either issue a certificate/private key, while serving up the public key, OR even take the public key/certificate from the vetted person . When you think about it, this does not belong in gov purview, NOR in individuals controls (that is, you vet a friend and your friend falsely vetted somebody else because they were not paying attentio

Re:

[Seven Spirals]

That rocks. Good idea, brother.

Domain Squatters

[muphin]

How about they focus on Domain Squatters, most of the domains arent usable because they are held for advertising or overpriced to make money off them.