Did you know that what we know as the internet is secured using 7 physical keys? Many are unaware of this reality, but use the internet everyday without knowing how it is secured.
In this short guide, we’ll reveal details about these seven keys, why they are so important, and what would happen if the keys should be lost.
What is the DNS and why is it critical?
The DNS (Domain Name Service) is like the phonebook of the internet. It turns domain names like “google.com” into IP addresses so that browsers can load up information from such websites and make them available to the internet user.
Because each device on the internet has an IP address that other devices use to locate it and there are billions of devices, it is impossible to remember IP addresses for every device, and this is where DN servers come in.
They help us to “remember” or keep a record of the addresses so that we don’t have to. Instead, we can just type in normal words such as “google.com” and it’ll link us to the information we seek on the internet by finding the right IP address for it.
However, DNS itself is not safe, and there’s the risk of fake DNS data, also referred to as DNS poisoning or spoofing. This redirects internet users to malicious websites disguised as legitimate ones. It’s even worse when your website visits these websites and caches them to revisit.
The result is that the attacker — usually referred to as a hacker — can steal sensitive information like passwords or financial data from the internet user who is unsuspecting. It may even infect their devices with viruses, causing them to malfunction.
Fortunately, there is a way around this, known as Domain Name System Security Extensions (DNSSEC).
Very early in the 1990s, engineers in the Internet Engineering Task Force (IETF) — the organization responsible for DNS protocol standards — realized how vulnerable DNS was, and came up with DNSSEC to secure it.
You can watch in this video.
How DNSSEC signing works
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records through a signing process. That way, it’s not DNS queries and responses themselves that are cryptographically signed, but rather the DNS data itself is signed by the owner of the data.
The DNSSEC signing is done by 7 real key holders who attend quarterly, high-security ceremonies to cryptographically sign the DNS root.
Four times a year, the Internet Corporation for Assigned Names and Numbers (ICANN) brings together these key holders from around the world to conduct the “key signing ceremony.”
They come together in a highly secure environment for the ceremony, where the root zone key signing key (KSK) can be used to sign zone keys to protect the DNS root zone.
In the process, a little more than three months’ worth of cryptographic signatures are also generated and used to sign the root zone whenever it’s necessary. This is a critical operational event that is essential to Domain Name System (DNS) security.
What if the keys are lost?
If the keys are lost, stolen or compromised, there is always another set of seven scientists, engineers, and security experts with spare keys ready to replace the previous set.
This way, it is not possible for the keys to be lost or compromised so that the internet isn’t secured anymore, because there is always another set of key holders ready to step in.
It is worth noting though, that the key holders don’t actually control the internet, so they cannot shut it down as some people believe.
Instead, they are responsible for maintaining the base security layer to ensure you and I can trust the internet when we use it for research, banking, or any other purpose.
ReadNext
