Backyard Cleanup in .ORG

by Joe Abley, Chief Technology Officer, Public Interest Registry

It’s September in Southwestern Ontario. The days are getting cooler and the skies are more regularly blue; it’s about time to procrastinate cleaning  the backyard before the snow comes, because of course there’s loads of time left to worry about that. Until, every year, there isn’t, because the snow always comes earlier than you think.

The care and feeding of Internet infrastructure is also seasonal, although the seasons are less regularly (and more predictably) distributed throughout the year. There are major holidays and events around the world that need to be considered when you plan maintenance, or the yard clean-up of Internet infrastructure. You don’t want to plan to do work that will affect commercial customers during their workdays; for instance, much of Western Europe is on vacation during August and there are holidays in December that are observed around the world. In general, you try not to make changes to running systems that people depend on during the times when it might be hard to adapt to unexpected events, or when people are depending on them not to break.

This year has been a little different. In many parts of the world, residential networks are not just used by families in the evening to watch television and by teenagers throughout the late hours of the night, but also during the full work day as the planet’s office workers have turned their kitchen tables into desks. While people may not be working in person in their offices,  office networks still resonate with their network traffic as people need to use office network services. Office hours have turned into all the hours, and people are relying upon the Internet to work as never before.

At the beginning of the year, PIR was working with our technology partner Afilias to establish periodic reviews of the technical parameters used in the operation of .ORG. In particular, we were reviewing some technical settings used in DNSSEC, a buzzword that describes a particular set of security extensions in the Domain Name System intended to protect people who use .ORG domains from various bad things on the Internet.

ORG was the first generic top-level domain to deploy DNSSEC in 2009. In the eleven years that have followed the world has learned a lot about cryptography and the DNS in general, and about DNSSEC specifically. Maintenance is an important part of any operational technology, and some of the deployment choices that were right in 2009 can be improved upon in 2020.

We came up with a laundry list of things we could change and improve. However, the list we came up with started took too long to tackle in a world where the ability to travel to data centers has become unpredictable and in a year which really demands small, conservative changes over more ambitious adventures. So, we scaled things back a bit. We will get through the whole list, but not all this year.

A couple of weeks ago, our technology partner, Afilias, started executing a plan that we’ve been discussing in public technical forums for the past several months. By the time the plan is complete, we will have made small but important changes in the way that DNSSEC is deployed in .ORG, including the replacement of a particular cryptographic algorithm known as “SHA-1” which, while not obsolete, has definitely been found to be less secure than was thought a decade ago. Every .ORG domain name will benefit from the changes we are making.

As we go through our list, we will share the technical details of the changes with our counterparts at other organizations, because that’s how the Internet works best. We’re also collecting operational data that we can use to better understand the DNS and its reaction to the technical changes we are making. We hope that our fellow research partners in academia will work with us to investigate any interesting new phenomena that come to light.

The first changes have already been made; there are more changes to follow. By sharing our plans widely and as openly as we can about the work we are doing, we’re doing our very best to make sure that nobody notices. The time invested this year will make further improvements easier to implement in the future—just like my backyard, there’s always more work to do.