2017 dnssec ksk rollover
play

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do - PowerPoint PPT Presentation

Mar 25, 2023 •173 likes •384 views

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

  1. 2017 DNSSEC KSK Rollover Carlos Martínez | LACNIC | LACNIC 27, Foz Do Iguassú

  2. Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information | 2

  3. The Root Zone DNSSEC KSK ¤ The Root Zone DNSSEC Key KSK Signing Key “ KSK ” is the top most cryptographic key in the DNSSEC hierarchy ¤ Public portion of the KSK is configuration parameter in DNS validating revolvers DATA | 3

  4. Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017 | 4

  5. Important Milestones Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication Now, onwards In-band ( Automated Updates ) Publication July 11, 2017 and onwards Sign (Production Use) October 11, 2017 and onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 from systems Dates TBD, 2018 | 5

  6. Recognizing KSK-2017 ¤ The KSK-2017’s Key Tag is 20326 ¤ The Delegation Signer (DS) Resource Record for KSK-2017 is . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D "Root" Note: liberties taken with formatting for presentation purposes | 6

  7. KSK-2017 in a DNSKEY Resource Record ¤ The DNSKEY resource record will be: . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" Note: liberties taken with formatting for presentation purposes | 7

  8. Why are there DS and DNSKEY forms of KSK-2017? ¤ Tools that you will use to manage DNSSEC trust anchor configurations work on either the DS form, the DNSKEY form or both ¤ For each tool there are historical reasons ¤ The DS record contains a hash of KSK-2017 ¤ The DNSKEY record contains the public key of KSK-2017 ¤ Consult your tool’s documentation to know which is appropriate | 8

  9. Current "State of the System" ¤ Sunny, as in “sunny day scenario” ¤ We are changing the KSK under good conditions ¤ Leverage trust in KSK-2010 to distribute KSK-2017 ¤ Recommended course of action – rely on RFC 5011’s Automated Updates of DNSSEC Trust Anchors protocol ¤ Why mention this? ¤ Alternative to Automated Updates is bootstrapping (or establishing an initial state of trust in) a trust anchor ¤ That would be necessary in stormy (emergency) conditions | 9

  10. Automated Updates of DNSSEC Trust Anchors ¤ Defined in RFC 5011 ¤ Use the current trust anchor(s) to learn new ¤ To allow for unattended DNSSEC validator operations ¤ Based on "time" – if a new one appears and no one complains for some specified time, it can be trusted ¤ Defined "add hold" time is 30 days | 10

  11. Automated Updates timetable KSK-2017 KSK-2017 KSK-2017 appears starts should be in DNS signing trusted | 11

  12. Important dates when following Automated Updates ¤ On 11 July 2017 ¤ KSK-2017's DNSKEY record will appear in the DNS root key set ¤ Tools following RFC 5011 will start counting days ¤ After 11 August 2017 (give or take a day) ¤ Your tool should see KSK-2017 in its trust anchor database ¤ If not, debugging is needed, you have a few weeks to fix ¤ (Don't panic if it it's not immediate, remember time zone, etc.) ¤ On 11 October 2017 ¤ KSK-2017 goes "live," validation ought to be confirmed | 12

  13. What if KSK-2017 isn't trusted on August 11, 2017? ¤ Don't Panic! ¤ There are nearly two months to examine why, fix, and test before KSK-2017 "goes live" ¤ Begin to investigate early but there is no need to rush a fix ¤ Resources to consult are listed later in the slides | 13

  14. Why is Automatic Updates in use? ¤ Many DNSSEC validation tools have RFC 5011 support built-in ¤ The support needs to be configured properly, consult your administrator guide ¤ All in all, nothing an operator can't handle ¤ You can choose to "do it the hard way" ¤ You do have options ¤ ICANN is publishing KSK-2017 in different ways to help | 14

  15. Preferred Approach ¤ Mindful that the choice is a matter of local policy ¤ DNSSEC validation is for the benefit of the receiver ¤ Not all operational environments are the same, not all validating tools implement Automated Updates ¤ ICANN is doing its best to accommodate different approaches ¤ Automated Updates is likely the preferred approach ¤ Relies only on what has been trusted before ¤ It's the most reliable/stable approach, simplest basis for trust | 15

  16. Impact on the KSK Rollover Process 1280 Byte ¤ Visualizing Packet Sizes "Limit" ¤ 2017-July-01 864 Bytes ¤ 2017-July-11 1139 Bytes ¤ 2017-Sept-19 1414 Bytes ¤ 2017-Oct-11 1139 Bytes ¤ 2017-Dec-20 1414 Bytes ¤ 2018-Jan-11 1424 Bytes ¤ 2018-Mar-22 1139 Bytes ¤ 2018-Apr-11 864 Bytes KSK-2010 KSK-2017 Current ZSK Next ZSK RRSIG-2010 RRSIG-2017 | 16

  17. Recommendation for IPv6 ¤ What you should do ¤ Make sure your servers can query over TCP (especially in IPv6) ¤ Test and verify that you can receive large DNSKEY sets ¤ This is a "permanent fix", not just for the KSK key rollover, TCP is an important piece of DNS operations | 17

  18. Three Steps to Recovery 1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!) 2. Debug. If the problem is the trust anchor, find out why it isn't correct ¤ Did RFC 5011 fail? Did configuration tools fail to update the key? ¤ If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments 3. Test the recovery. Make sure your fixes take hold | 18

  19. ICANN’s Automatic Updates Testbed ¤ Designed to allow operators to test whether production resolver configurations follow Automated Updates ¤ The goal is to test production resolvers with live test zones executing a KSK rollover in real time ¤ A full test lasts several weeks ¤ Joining the testbed involves: ¤ Configuring a trust anchor for a test zone such as 2017-03-05.automated-ksk-test.research.icann.org ¤ Receiving periodic emails with instructions for what to do and what to watch for ¤ https://automated-ksk-test.research.icann.org | 19

  20. Educational/informational Resources ¤ ICANN organizes KSK rollover information here: https://www.icann.org/resources/pages/ksk-rollover ¤ Link to that page can be found on ICANN's main web page under "Quicklinks" ¤ Contains links to what's been covered in this presentation, the get_trust_anchor.py script and information on ICANN's live testbeds | 20

  21. How can you engage with ICANN? Thank You and Questions Join the ksk-rollover@icann.org mailing list Archives: https://mm.icann.org/listinfo/ksk-rollover KSK-Roll Website: https://www.icann.org/kskroll soundcloud.com/icann twitter.com/icann Follow #Keyroll weibo.com/ICANNorg facebook.com/icannorg flickr.com/photos/icann youtube.com/user/icannnews slideshare.net/icannpresentations linkedin.com/company/icann | 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root

558 views • 13 slides
Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides a superior product, and 3. much less expensive 3 Student Rollover So, Im wondering why are we still using these? NEW SLIDE 1. Hard to use,

734 views • 22 slides
Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Donald Friedman Susie Bozzini Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries occur in pre roll crash events, limiting the likelihood that ESC will be as effective as predicted, emphasizing occupant

757 views • 62 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

434 views • 24 slides
The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land Commissioner Rollover Pass, Galveston County Project Site Rollover Pass, Galveston County GIWW Rollover Pass Rollover Pass, Galveston County History:

231 views • 10 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went off the edge of the road No injuries What was spilled? Fuel Engine oil Contributing Factors to Rollover Poor visibility Dark

75 views • 5 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 290N Table of Content

Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 290N Table of Content

Offline Data Processing: Tasks and Infrastructure Support T. Yang, UCSB 290N Table of Content Offline incremental data processing: case study Example of content analysis System support Offline Architecture for Ask.com Search

400 views • 13 slides
1 Fetcher WebDB/Fetcher Updates Fetcher is very stupid. Not a crawler URL:

1 Fetcher WebDB/Fetcher Updates Fetcher is very stupid. Not a crawler URL:

Meta-details Built to encourage public search work Open-source, w/pluggable modules All About Nutch Cheap to run, both machines & admins Goal: Search more pages, with better quality, than any other engine Michael J. Cafarella

90 views • 5 slides
OUT OF THE PIPELINE: NOVEL TARGETS AND TREATMENTS FOR SCHIZOPHRENIA Learning Objectives

OUT OF THE PIPELINE: NOVEL TARGETS AND TREATMENTS FOR SCHIZOPHRENIA Learning Objectives

OUT OF THE PIPELINE: NOVEL TARGETS AND TREATMENTS FOR SCHIZOPHRENIA Learning Objectives Describe the mechanisms of action of emerging and investigational treatments for schizophrenia Evaluate the latest clinical data for new and

799 views • 51 slides
IN3170/4170, spring 2020, mandatory labratory exercise 2: Gate delay and nFET intrinsic gain

IN3170/4170, spring 2020, mandatory labratory exercise 2: Gate delay and nFET intrinsic gain

IN3170/4170, spring 2020, mandatory labratory exercise 2: Gate delay and nFET intrinsic gain (deadline 16-Mar-2020, 10:00!) P. H afliger & Sebastian Wood Institute of Informatics University of Oslo e-mail: hafliger@ifi.uio.no February

125 views • 10 slides
Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p

Speeding things up: Getting sloooower The TLB Memory Exception Every new level of paging no p o CPU reduces the memory overhead for computing yes page # frame # Access the mapping function f but increases the time necessary

201 views • 4 slides
MAPREDUCE INFORMATION RETRIEVAL EXPERIMENTS CLEF 2010, Tuesday 21 September 2010 Djoerd Hiemstra

MAPREDUCE INFORMATION RETRIEVAL EXPERIMENTS CLEF 2010, Tuesday 21 September 2010 Djoerd Hiemstra

MAPREDUCE INFORMATION RETRIEVAL EXPERIMENTS CLEF 2010, Tuesday 21 September 2010 Djoerd Hiemstra & Claudia Hauff University of Twente INSPIRED BY GOOGLE... 2 A NEW COURSE ON BIG DATA Distributed Data Processing using

518 views • 24 slides
Mak Karim IT Director Summary 3 Recruitment Challenges Effective Candidate Sourcing

Mak Karim IT Director Summary 3 Recruitment Challenges Effective Candidate Sourcing

A N I N T R O D U C T I O N SCR Hospitality Meeting 19 th September 2019 Richard Tomlinson Account Director Mak Karim IT Director Summary 3 Recruitment Challenges Effective Candidate Sourcing Building an Employer Brand Speed

318 views • 9 slides
Handout 1 Webinar: An Hour of Code with Artificial Intelligence! Topic: Artificial intelligence

Handout 1 Webinar: An Hour of Code with Artificial Intelligence! Topic: Artificial intelligence

Handout 1 Webinar: An Hour of Code with Artificial Intelligence! Topic: Artificial intelligence Provides a starting point to find out about AI, learn more and find relevant resources. Lesson ideas Year level Title Description Aspects of AI

139 views • 3 slides

More recommend