The issue is quite technical and has to do with ICANN scheduling the rotation of cryptographic keys that help protect DNS. Twenty-four hours later, the technicians say everything went smoothly and smoothly, though there was no shortage of people alerted to the possibility of failure.
Cryptographic key rotation happened yesterday for the first time, using a new KSK that was published in July 2017 and must be applied by those who operate recursive name servers and uses DNSSEC validation. Everything has been prepared by ICANN, the organization that manages the internet infrastructure, which has released a guide explaining the process in detail, in coordination with the various organizations that manage the DNS of each country.
The operation was initially scheduled for October 11, 2017, but was postponed because a significant number of resolvers used by internet service providers (ISPs) and network operators were not yet ready for the implementation of the new key. In this way the change was defined for October 11, 2018, at 4:00 PM UTC (Universal Time) and more than 24 hours later everything indicates that the operation went smoothly.
But what is this about cryptographic key rotation? DNS.pt explained to SAPO TEK that "what is at stake here is the replacement of the key that currently signs the world root, also known as KSK 19036, by KSK 20326. This key usually has no visibility for the average user , despite being present every day in the use of the Internet ". The first signature with cryptographic keys in the root of the Domain Name System (DNS) was made in 2010, and this is the first rotation applied, although it is expected that the process will now become more regular, to 5 years.
"This change is just another normal change in Internet infrastructure and, as mentioned above, it is not expected to have an impact on users," explains Eduardo Duarte, Director of Infrastructures and Systems of the DNS.PT Association.
The DNS.PT has been following this process and has already rotated the DNSSEC keys of the .PT. In addition to the rotation of the keys, the infrastructure supporting the DNSSEC system was also renewed, now having greater resilience and security, the association explains.
The communication has also been made with the operators and the registrars, and Eduardo Duarte explains that the domain name managers signed with DNSSEC will not have to do anything about this change. "They should simply continue to use their signed domain; on the other, network operators (Ex: ISP's) and other operators of recursive DNS servers that will have to have their systems prepared for the change, "he says. This change can be made in several ways, but typically it happens with updating the recursive server software.
"Given the latest available data, it is not expected that the transition will have an impact on them or on users," he said.
Also on the ICANN side, everything points to a climate of "tranquility". In the first 24 hours only a few errors were recorded that were "quickly corrected". The status of the implementation can be tracked on this page.