ICANN: Get ready for DNSSEC changes to web security protocols

Ignore DNSSEC at your peril, warns ICANN

ICANN has warned that a major shake-up to the security protocols governing the way in which web addresses are handled could cause major problems for users if website owners and internet service providers don't prepare properly for the transition.

The shift to Domain Name System Security (DNSSEC) isn't expected to take place for at least another year, but the Internet Corporation for Assigned Names and Numbers (ICANN) claims that organisations need to be well prepared in advance to avoid any meltdown.

ICANN explained that the changes relate to the DNSSEC system used to ensure that when people try to reach a specific website, the system cannot be hijacked to redirect to a different, possibly malicious, website.

The keys used to protect this system are usually renewed every three months as part of the Zone Signing Key (ZSK) protocol that applies to the end of URLs, such as .com, .co.uk and so on.

As long as the firms providing access to the web have the right keys in their network, the system can ensure that people aiming to find a certain website are sent to the right place by checking it against this key.

This in turn is checked against the top-level Key Signing Key (KSK) that validates the ZSK. This is rarely changed but ICANN is now going to update it.

"You can't keep a cryptographic key forever. It's not good cyber hygiene. It's like a password. You should change it regularly," Matt Larson, vice president of research for the CTO office at ICANN, told Computing.

The change isn't happening overnight. 'Key holders' at ICANN will meet in October this year, and in February and October next year, to finalise the changes.

"We want a smooth and conservative process to change the key under controlled, normal circumstances, rather than finding it has been compromised, and having to rush it," said Larson.

Once the new keys have been generated, web operators, such as ISPs, will need to update their systems with the new key so that when a user attempts to visit a website it can validate it against the new KSK.

ICANN hopes that by constantly updating the web world on its progress no one will be unaware of what needs to be done.

Companies that fail to update their systems with the new key will find that attempts to access their websites will fail.