Skip to main content

密钥签名密钥 (KSK) 轮转现已推迟

互联网名称与数字地址分配机构 (Internet Corporation for Assigned Names and Numbers, ICANN) 于今天宣布旨在保护域名系统 (Domain Name System, DNS) 的加密密钥变更计划现已被推迟。

密钥更换涉及生成一个新的加密密钥对,并将新的公共元素分配给经由域名系统安全扩展 (Domain Name System Security Extensions, DNSSEC) 验证后的解析器。 根据目前使用 DNSSEC 验证解析器的预估互联网用户数量,全球互联网用户中大约有四分之一,或 7.5 亿人,将会受到 KSK 轮转的影响。

KSK 密钥的变更或"轮转"原本预期在 10 月 11 日进行,但由于近期获取的数据显示有一大批互联网服务提供商 (ISP) 和网络运营商还没有针对密钥轮转做好准备,因而密钥轮转需要推迟进行。 这次新数据的获取源于近期 DNS 协议中的一项功能使得解析器能够向根服务器汇报哪些密钥已进行了配置。

运营商尚未将新密钥安装进入其系统,原因有许多,例如:某些运营商的解析器软件没有进行正确设置;且近期发现一种广泛使用的解析程序似乎无法按照预期计划自动更换密钥,其具体原因尚待审查。

ICANN 目前正在通知其社群,包括安全与稳定咨询委员会 (Security and Stability Advisory Committee, SSAC)、地区互联网注册管理机构 (Regional Internet Registries, RIR)、网络运营商团体 (Network Operators Groups, NOGs) 和其他相关方,请求他们帮助查找和解决问题。

与此同时,ICANN 认为应当采取审慎态度遵守流程、推迟密钥变更,而不是草率执行变更,导致大量互联网用户受到负面影响。ICANN 承诺将继续向相关技术机构进行宣传和教育、沟通和接触,确保他们对密钥变更做好准备。

"维护域名系统的安全、稳定和弹性是我们的核心使命。我们宁可采取审慎合理的态度,而不是在 10 月 11 日进行鲁莽变更,"马跃然 (Göran Marby) 表示。"当我们发现了这些新问题后如果仍旧执行轮转,是不负责任的态度,因为这些新问题可能会影响轮转取得成功,可能会给一大批终端用户的能力造成负面影响。"

密钥轮转的新日期目前尚未确定。ICANN 首席技术官办公室表示,目前希望能够将密钥轮转时间重新定在 2018 年第一季度,但这还要取决于我们对新信息是否能够充分理解,并能够尽可能多地缓和潜在故障。

ICANN 将在获得新信息后及时发布,并在适当时宣布新的密钥轮转日期。

"我们希望网络运营商将利用这段额外时间来确保其系统已经为密钥轮转做好了准备,"马跃然表示。"我们的测试平台(http://go.icann.org/KSKtest)将帮助运营商确保其解析器能够对新密钥进行正确配置,我们将继续与这些运营商进行接触与交流。"

关于 DNSSEC

为了在互联网上方便地识别资源,这些资源背后的号码地址现已被可读字符串所替代。分布式层级化的域名系统 (DNS) 则负责将这些字符串转换为号码。自 1983 年设计完成以来,计算和网络技术变得日益复杂,这使得这一"网络电话簿"很容易受到袭击。为了应对这些威胁,国际标准组织互联网工程任务组 (IETF) 开发了 DNSSEC,采用加密方式来确保 DNS 的内容不会在未经探测的情况下从源头上被修改。DNSSEC 一旦得到全面部署,将使得袭击者无从对 DNS 用户进行重定向。

##

如需继续了解 KSK 轮转的进展,请点击此处:https://www.icann.org/resources/pages/ksk-rollover

社交媒体关键词:#Keyroll


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."