DNSSEC Signing Potentially Interrupted by Coronoavirus

The internet is underpinned by DNS, which converts textual names like www.infoq.com to IP addresses that computers use for routing. Served over unencrypted and unverified communications, DNS is an easy target for network infiltrators to be able to silently redirect traffic to other hosts. To combat this, DNSSEC was created in RFCs 4033, 4034, and 4035.

DNSSEC still serves DNS over unencrypted communications, but adds a level of security by signing the content of the DNS zone, so that modifications can be detected. When a DNS zone is transferred between name servers, its signature can be checked to verify that the domain zone hasn't been compromised.

These signatures have a root-of-trust, like HTTPS sites do, resulting in the root of trust which is managed by ICANN. Like in-built browser roots, these are self-signed roots that underpin the content of the signatories used by the root name servers, which in turn provide signatures for those zones that they delegate for.

As with all good cryptography procedures, these root level keys are regularly rotated, similar in the way that Let's Encrypt has popularised the use of auto-renewing HTTPS certificates. Since these keys are critical to the infrastructure of the internet, there is a ceremony involved in regenerating these root keys, including multiple people and key material in locked safes that are live-streamed to ensure that there aren't any compromises of data. These happen every three months and thus require regular meetings at the key signing sites with people from different countries to ensure that DNSSEC continues to operate.

Unfortunately, travel in modern society has been heavily curtailed due to Coronavirus, and many countries, including the United States of America, have closed their borders to non-citizens. This means that the next signing process, due before the end of June, is almost certainly not able to happen. Although the keys generated at the last meeting in February are valud through to the end of June, to keep DNSSEC operating after June will require a change to the normal procedures.

The current plan is to use Californian ICANN staff, and breaking into the key material holding security boxes in order to allow DNSSEC to continue, as described on the APNIC blog:

Several options are on the table and input is being sought. The least desirable but, simultaneously, the most likely given the current situation, will be a ceremony using the part of the disaster recovery process where only California-based ICANN staff, and possibly a locksmith, go into the facility in Los Angeles and force their way into the security deposit boxes containing the necessary credentials (no safe drilling this time, as the set of ICANN staff that can forcibly open the safes are presumed to be on site) and perform the signing while everyone else watches attentively.

This is a variation to the standard practices, but in these ever changing times, different processes may be required. If the event is live streamed, then it may be acceptable to use this as a change to the standard procedure until such time as travel resrictions have lifted and the necessary quorum may be able to take place. Although the disaster preparation has been part of the standard practice, the idea that the United States of America would close its borders and prevent travel was not something that had been considered likely.

As we move closer to the end of June, it is likely that an agreement will be reached to allow DNSSEC to continue securely. InfoQ will follow up and cover the outcome of this change when it happens.