Skip to main content
Resources

新闻发布:董事会批准对密钥签名密钥 (KSK) 进行轮转

洛杉矶——2018 年 9 月 18 日——互联网名称与数字地址分配机构 (Internet Corporation of Assigned Names and Numbers, ICANN) 董事会现已批准对密钥进行首轮变更,此举将保护号称"互联网的地址簿"的域名系统 (Domain Name System, DNS)。

ICANN 董事会于 9 月 16 日在比利时召开会议期间通过了一项决议,指示该机构按计划在 2018 年 10 月 11 日对 DNS 根区的密钥进行变更或"轮转"。此举标志着自 2010 年启用密钥以来,首次对密钥进行变更。

"这是一项重要举措,我们有责任确保此举将推动 ICANN 履行其使命,即维护 DNS 的安全、稳定和弹性,"ICANN 董事会主席谢林·查拉比 (Cherine Chalaby) 表示。"我们无法完全确保每位网络运营商都能正确设置其'解析器'。假设一切按计划进行,我们预计绝大多数用户将可以访问根区。"

如果某些网络运营商或互联网服务提供商 (ISP) 没有对密钥轮转做好准备,则其互联网用户将会受到影响。 已经启用了域名系统安全扩展 (DNSSEC) 和 DNSSEC 信息验证的运营商们必须确定他们已经为密钥轮转做好了准备。DNSSEC 是指一系列用于确保 DNS 信息不会受到偶然或恶意损毁的安全协议。

"研究显示,成千上万的网络运营商都已经启用了 DNSSEC 验证,大约有四分之一的互联网用户都依赖着这些运营商,"ICANN 首席执行官戴维·康纳德 (David Conrad) 表示。"几乎可以肯定在全球各地至少会有几家运营商没有做好准备,但即使在最坏的情况下,他们所需要做的就是关闭 DNSSEC 验证,安装新的密钥,然后重新启用 DNSSEC,这样他们的用户就能再次连接上 DNS。"

DNS 根区秘钥的变更原本预计在一年以前进行,但当 ICANN 找到轮转前的最新数据并对其分析后,决定暂缓密钥轮转。这些数据展示了网络运营商是否已对密钥轮转准备就绪。

一份数据分析最终使得本机构认定可以安全顺利地进行密钥轮转。鉴于此,本机构与社群进行了协商后,重新制定了一套新计划,建议将新密钥的启用放在原定日期的一年后进行。在延期阶段,本机构继续开展广泛的外展和调查工作,了解如何能够以最佳方式减少密钥轮转所带来的风险。

ICANN 董事会在 9 月 16 日召开的会议上通过了一项决议(https://www.icann.org/resources/board-material/resolutions-2018-09-16-en),批准了这项计划。ICANN 组织确定计划在世界协调时 2018 年 10 月 11 日下午 4 点进行密钥轮转。

"这是首次对密钥进行变更,但不会是最后一次,"ICANN 研究部门副总裁、密钥轮转指定联络人麦特·拉森 (Matt Larson) 表示。"这是第一次轮转,当然,我们正在紧锣密鼓地筹备,确保一切尽可能顺利。我们在将来还需要进行许多次密钥轮转,到那时网络运营商、互联网服务提供商 (ISP) 和其他人员都会越来越熟悉这一操作。"

获取密钥轮转信息的主要来源是:http://www.icann.org/kskroll

请订阅密钥轮转讨论电子邮件清单:https://mm.icann.org/listinfo/ksk-rollover

社交媒体关键词:#密钥轮转

###

媒体联系人

ICANN
布拉德·怀特 (Brad White)
北美传播主管
手机:+1.301.365.3571
电子邮件:brad.white@icann.org

ICANN
亚历山大·丹斯 (Alexandra Dans)
拉丁美洲和加勒比海地区高级传播经理
手机:+598 95 831 442
电子邮件:alexandra.dans@icann.org

ICANN 简介

ICANN 的使命在于确保全球互联网的稳定、安全与统一。在互联网上寻找另一个人的信息,您必须在您的电脑或其他设备中键入一个地址——可以是一个名称或是一串数字。这一地址必须是独一无二的,只有这样电脑之间才能互相识别。ICANN 则负责协调这些分布在全球各地的唯一标识符。ICANN 成立于 1998 年,是一家非营利公益型企业,其社群成员遍布全球各地。

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."