ICANN housecleaning revokes old DNS security key

The Internet Corporation for Assigned Names and Numbers (ICANN) this week will do some important housecleaning from its successful, first-ever cryptographic key change performed last October.

In October, ICANN rolled out a new, more secure root zone Key Signing Key -2017 (KSK-2017), but the process wasn’t complete because the old key, KSK-2010 remained in the zone. On Jan. 10, ICANN will revoke the old key and remove it from the root zone. The KSK helps protect the internet’s address book — the Domain Name System (DNS) and overall Internet security.

“The ICANN organization does not expect problems with the revocation,” wrote Paul Hoffman, principal technologist with ICANN, in a blog post about the revocation activity.

“However, this is the first time a KSK in the Domain Name System (DNS) root has been revoked, so the ICANN org and the DNS technical community will be watching carefully for at least 48 hours after the publication of the revoked KSK-2010.”

Hoffman wrote: “Before we remove KSK-2010 from the zone altogether, we want to mark that key as revoked for all the resolvers that follow the ‘Automated Updates of DNSSEC Trust Anchors’ standard (RFC 5011). By marking the old key as revoked, any system that uses RFC 5011 will see that KSK-2010 is no longer valid and will not trust that key in the future. The revocation mark will be visible until 22 March 2019, at which point KSK-2010 will be completely removed from the root zone forever.”

ICANN encourages vendors to no longer ship KSK-2010 in their products. Similarly, anyone who is maintaining their list of DNS root trust anchors by hand should remove KSK-2010 from their configurations, Hoffman wrote.