Michael Tremer

DNSSEC key rollover imminent
by Michael Tremer, September 9

ICANN will roll over the DNSSEC key signing key of the DNS root zone. All resolvers need to be updated so that DNS resolution will work after October 11, 2018 or no DNS entries can be resolved any more.

What do I need to do?

We have known about this key rollover for a long time and placed an automatic job that keeps the key up to date. But just to be sure, we are sending you this announcement.

IPFire needs to be at least on Core Update 106 or newer to have unbound, our new DNS proxy. No manual action is required.

What does this mean?

DNSSEC is used to verify DNS responses from any name server. With those signatures, anyone can trust that the DNS reply that was received was not forged and is the correct one to reach the web server of your bank and not somebody else.

Those signatures are generated from keys that are organised in a hierarchy starting from the DNS root zone . down to for example www.ipfire.org. Since nobody can hold all keys for all possible domains, signatures of those keys are put into the higher level of the hierarchy and signed again. But reaching the highest level, there is no higher authority available anymore. Therefore, every system that is using DNSSEC has a copy of the root key stored. Now, this key is being changed.

To repeat the most important part again: DNS resolution won’t be possible when recent updates have not been installed.

For the nerds

If you want to check if your system has already imported the new key, you can run the following command:

[root@ipfire ~]# dig @localhost trustanchor.unbound -c CH -t TXT

The output should show you two keys with ID 19036 and 20326.

ICANN is also presenting more information about checking if you have recent keys.

Posted: September 9 • 859 views