1. Home
  2. Forums Index
  3. WebmasterWorld / Domain Names 10:17 am Apr 27, 2026

Forum Moderators: buckworks & webwork

Message Too Old, No Replies

ICANN To Change Cryptographic Key Pairs For The First Time

         

engine

4:32 pm on Sep 20, 2016 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



ICANN was explaining about good security practice of changing cryptographic keys to help protect against redirected traffic, and then went on to say that it has never yet changed the key, so this is a step forward. It says it want to do this when everything is "normal" and there is no kind of "emergency." The cryptographic key switch-over will take around two years to complete.


The key pair at the top of this chain, or the Root Zone Signing Key, is what ICANN is changing for the first time.

“If you had this key, and were able to, for example, generate your own version of the root zone, you would be in the position to redirect a tremendous amount of traffic,” Larson said.

“We want to roll the key because it's good cryptographic hygiene,” he added. ICANN To Change Cryptographic Key Pairs For The First Time [motherboard.vice.com]

keyplyr

7:06 pm on Sep 20, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It seems like this announcement should be made *after* the changes were made, not prior since it will take two years to complete.

bill

9:10 am on Sep 23, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



They need to let everyone know the keys are changing well in advance so that software and hardware vendors can prepare for the switch.

keyplyr

9:37 am on Sep 23, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I understand, but with this announcement aren't they in effect saying "you have a 2 year window to exploit this vulnerability and funnel traffic where you want."

bill

11:48 pm on Sep 23, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



It's not a vulnerability. They're just practicing good crypto hygiene by cycling the keys. While they're doing that they're also increasing the key size. There's no real threat to their current 1024-bit key now, but they're increasing the size just to be safe. This is really just routine key maintenance. Kind of boring actually. The interesting aspect of the story is that these are the keys that the entire Internet rely on, and they haven't been cycled before.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Domain Names 10:17 am Apr 27, 2026