After October 11, users may experience slow performance on the Network, and some sites will be unavailable. The reason is the first update the protection settings of the global domain name system. Ready for this, not all
Photo: Toru Hanai / Reuters
At the end of August, the Corporation for assigned names and numbers (ICANN) said that “preparing for the first ever changing of cryptographic keys that protect the domain name system of the Internet” (DNS). The transition to the new keys (Key Signing Key, KSK) to be held October 11. However, the organization warned that “a small percentage of Internet users will experience difficulties when resolving domain names” (that is, when converting the resource name into a numerical IP address, for example, rbc.ru in 126.96.36.199) that computers use to connect to each other. Because of these difficulties some users, for example, will not be able to access indicated in the browser address bar the website.
Despite the report published by ICANN, October 11 is the tentative date for the transition to the new keys, told RBC head of global engagement with stakeholders in Eastern Europe and Central Asia ICANN Alexandra Kulikova. The exact date of transition will be approved at the meeting of the Board of the Corporation, to be held next week, September 12.
What are the keys and why change them?
Cryptographic keys appeared in 2010 on the initiative of ICANN. They were used in the DNS Security extension (DNSSEC). Initially, the DNS servers were not provided authentication response rate than was used by the attackers: they could intercept the request of the computer user who tried to set the IP address of your “destination” and replace it with incorrect. Thus, the user, without knowing it, was able to connect to the server scams. To avoid this, in 2010, they released a DNSSEC extension, which has agreed to install a large Internet providers.
According to the Director of the coordination centre of domains .EN/.Of the Russian Federation Andrey Vorobyov, DNSSEC provides security and integrity of the system of Internet addressing. “When the user tries to log on some resource, the Internet service provider explains to him the address at which it is necessary to make request to open the website or application, went e-mail, etc. DNSSEC supports global distributed automated notary, which confirms to the operator that the address, which he learned for his client, true,” — explained Mr. Vorobyov.
In 2010, ICANN has made a commitment that will change cryptographic keys “when needed or after five years of work,” said Kulikov. “Despite the fact that the key has never been compromised during this time, replacement keys, like passwords, is good cryptographic practice “hygiene”, therefore developed a detailed plan for the preparation and implementation of shift key in normal conditions. Update KSK means to create a new cryptographic key pair — open and closed — and open distribution of a new component among the parties that control the recognizers with the authentication feature. This, for example, Internet service providers, network administrators, software developers resolvers DNS, system integrators, etc.” — said Alexander Kulikov.
Why keys changed for the first time?
Despite the fact that five-year period to change the key expired in the middle of 2015, the current change of KSK would be the first in the history of ICANN. For the first time about the need to carry out this procedure, the organization announced in 2016. The following year was released the public part of the key, and the transition from the old version to the new one was appointed on 11 October 2017. But the event had to be postponed due to low level of readiness of Internet service providers, said Kulikova. “We knew from the beginning that one hundred percent ready to change the KSK will not, but the data obtained by the summer of 2017, showed that it was not ready a greater number of Internet service providers and network operators than expected,” she said. According to the representative of ICANN, ICANN has never faced the risk of key compromise, it was therefore decided to delay the replacement for another year to carry out the necessary work with the operators.
How many users run into problems?
According to Alexander Kulikova, in 2017 about a quarter of Internet users — about 750 million people — have Internet access one way or another depended on operators using the DNSSEC extension. These users can potentially encounter problems. However, according to Kulikova, all the major players are likely long ago made the necessary updates and will be able to upgrade to the new KSK. Change crypto key — a procedure not once, actually it goes for the last two years, said Andrey Vorobyov. According to him, the procedure is almost automatic and “most operators in the world already has all the necessary settings in your network equipment, which will allow to move to a new key, painless and completely transparent to users and owners of Internet resources”. “We believe that by better learning the technical side is scheduled for October 11, 2018 change KSK and new efforts to alert those members of the Internet community who depend on correctly configuring systems confirm DNS queries, only a small number of Internet users may face difficulties in access to Internet resources due to the replacement of the key,” said Kulikov.
Photo: Alexander Ryumin / TASS
As explained RBC Vladimir Ivanov (former Deputy head of the Department of operation Yandex, and former head of the it Department of the online store Lamoda), a small Internet providers could turn their DNSSEC validation many years ago, but did not pay attention to the fact that now it was necessary to change keys. “If you’re out of luck, can break down basic functions such as time synchronization. In this case, “break down” a lot, but it’s all invisible to humans. People just “won’t work the Internet,” — explains Ivanov. From the materials of the ICANN follows that even if the keys were updated by most Internet providers due to those who did not, may temporarily decrease bandwidth connections, and with it the speed in the Network.
According to Dmitry Burkov, one of the cryptographic officers of ICANN chosen from the global Internet community and acting as external advisors and auditors, change of KSK is planned to last four years. “It is unlikely that we will see that the key change will take place without error, as a proportion of the DNS software is not able to recognize the new keys, because obsolete. For the same reason 0,04% of the servers that pass queries from the user may not respond to the key” — said Burkov. He also indicated that the more convenient it would be another protective device system with keys that would be generated regularly, and the existing solution was chosen under the pressure of a certain part of the Board of the Corporation. “Error when changing keys would be reflected rather than on the users and on the reputation of ICANN,” concluded Burke.
Ready Russian Internet providers?
“There are procedures by which key information you are administering us domains is replaced in a timely manner, we do follow those procedures and everything should happen quickly for all users. In fact it is only about setting us the updates appropriate software,” said Executive Vice-President on interaction with bodies of Executive power “VimpelCom” Mikhail Yakushev (in the years 2014-2017 was Vice-President of ICANN for Russia, CIS and Eastern Europe).
Ready to replace the keys and in the MTS. The questions about difficulties during the operation and after it, according to the representative of this company, must be addressed in ICANN. Does not expect problems in your network and the representative of “Rostelecom”. In a press-service of “MegaFon” said that “the changes will not affect the functioning of the services of the company.” Other major Internet service providers either did not answer the questions of RBC or to contact them failed.
How the Internet works
Every device connected to the Internet (servers, web services, user devices, etc.), uses the IP address where it can be found. The search is performed using Domain Name System (DNS eng. — domain name system) is a computer distributed system for information about domains. But the numeric IP address is difficult to read, so he transferred in domain name. Thanks to DNS, we can enter into a browser to write a line for a specific URL (rbc.ru). The system will translate it to the computer in the IP address and send a response in the form of opening webpages on the user request.
DNS is supported through hierarchy of DNS servers that communicate via a certain Protocol and operating on the principle of “the language will lead to Kiev”. There are two types of servers: authoritative (responsibility zone) and recursive (act on behalf of the customer full search of the necessary information throughout the DNS system, if necessary referring to other DNS servers). To authoritative servers are the root servers (root servers) — those that have information about the root zone, that is, unable to answer, who knows about the “ru”. Servers for the zone “ru” can answer, what servers know, for example, about the zone “rbc.ru”. Servers zone “rbc.ru” I can say that rbc.ru here’s a IP address.