Default Banner

The internet secret keys

The internet secret keys

Recently, a large portion of the internet went down because of hackers who managed to send uncontrollable traffic to Dyn servers. Although hackers remained unable to take control one of the major DNS service providers, they successfully managed to take a portion of the internet offline for a few hours. Consequently, this brought down websites such as Amazon, Twitter, Business Insider, SoundCloud, Github, Spotify, amongst others.

Dyn is a major provider of something called a Domain Name System (DNS), which translates web addresses such as into a numerical IP addresses that computers use to identify web pages. Although hackers never gained full control of their network, they managed to successfully take it offline for just a few hours via a distributed denial of service attack and this shows how much the internet relies on DNS.

This attack on DNS has basically shaken the entire system. More responsibility has fallen on the Crypto officers who are few of the people in the world who hold protected keys to control the entire internet. These fourteen highest level security officers have a command over those seven protected keys, and few days ago, they conducted a historic ritual known as the Root signing ceremony. This ceremony is largely procedural and was initiated in 2010 by the Internet Corporation for Assigned Names and Numbers, or ICANN. ICANN is a non-profit public-benefit corporation with participants from all over the world which is dedicated to keeping the Internet secure and stable. Its main role is that to assign numerical IP addresses to websites and computers.  Towards the end of October, ICANN started the process of a new root zone key signing key (KSK). KSK is a cryptographic public-private key pair that plays an important role in the Domain Name System Security Extensions (DNSSEC) protocol. The public portion of the key pair serves as the trusted starting point for DNSSEC validation, similar to how the root zone serves are the starting point for DNS resolution. The private portion of the KSK is used during the Root KSK ceremonies to sign the Zone Signing Keys used by Verisign on the DNSSEC-sign root zone. This task is entrusted to seven people which are chosen to hold the keys, and seven further people to hold the backup keys. The smart card which is required to generate the master key is itself held in an incredibly protected environment due to its sensitivity. The keys used to protect this system are usually renewed every three months as part of the Zone Signing Key (ZSK) protocol that applies to the end of URLs, such as .com, and so on.

This process was needed so that the security protocols that govern the way web addresses are handled on the internet are changed. ICANN explained that the changes relate to the DNSSEC security system are to ensure that when people try to reach a specific website, the system cannot be hijacked to redirect to a different, possibly malicious, website. This new cryptographic public/private key pair was done during the Root KSK Ceremony at the secure key management facility in Culpeper, Virginia. With this key generation, the initial operational phase of the first-ever root KSK rollover, the process of changing the "master key" of the Domain Name System (DNS), has begun.

Since this is the first time the root's KSK key pair was changed, a coordinated effort is required across many in the Internet community to successfully ensure that all relevant parties have the new public portion of the KSK and are aware of the key roll event. ICANN will be discussing the KSK rollover at various technical fora and will also be using the hashtag #KeyRoll to aggregate content, provide updates, and address inquiries on social media with the aim to minimise impact as much as possible.

If the KSK rollover is smoothly completed, there will be no visible change for the end user. But as with pretty much any change on the Internet, there is a small chance that some software or systems will not be able to gracefully handle the changes. If complications become widespread, the Root Zone Management Partners may decide that the key roll needs to be reversed so the system can be brought back to a stable state.

Jonathan Mizzi is Manager of the Deloitte Digital Data Center. For more information, please visit