dnssec rolling keys
play

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and - PowerPoint PPT Presentation

Sep 25, 2022 •25 likes •155 views

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 page 2 DNSKEY in flavours Zone Signin Key (ZSK) Key Signing Key (KSK)

  1. DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008

  2. page 2 DNSKEY in flavours • Zone Signin Key (ZSK) • Key Signing Key (KSK) – Functions as secure entry point into the zone • Trust-anchor configuration • Parental DS points to it • Interaction with 3rd party • DNSKEYs are treated all the same in the protocol • Operators can make a distinction – Look at the flag field: ODD (257 in practice) means SEP NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  3. Benefits of using page 3 separate keys • Rolling KSK needs interaction, rolling ZSKs can be done almost instantaneously • Remember KSK replacement may result in – Trust-anchor updates – Change of DS record at parent • Allows different responsibilities – ZSKs may be touched day to day by junior staff – KSKs may only be touched by senior staff NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  4. page 4 Rolling keys instantaneously? • Remember that in the DNS caches are at play. – It takes a bit of time to have new information propagate • When you happen to get new data you would like to be able to use DNSSIGs from the cache • When you happen to get old data from the cache you would like to use new DNSSIGs • Try to make sure both old and new keys are available • Or, try to make sure both old and new sigs are available NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  5. page 5 Timing Properties time Authoritative Master Authoritative Slave Caching Nameserver Foo TXT Old Foo TXT Old 0 Publication of new data Foo TXT New t 1 synchronization Query to slave Foo TXT Old followed by Caching t 2 Zone transfer Foo TXT New Zone TTL t 3 Poof Expiration From Cache NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  6. page 6 PRE-publish ZSK rollover • Introduce the new DNSKEY before you start using it to sign the data. – ‘passive and active’ key – The passive key is just published, the active key is used for signing • You could also create two signatures after introducing the key, but that would cause your zone file to grow NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  7. page 7 ZSK rollover dnssec-signzone -k ksk example.com zsk1 dnssec-signzone -k ksk example.com zsk2 Create passive zsk2 ksk ksk ksk zsk1 zsk1 zsk2 zsk2 Sig ksk Sig ksk Sig ksk Sig zsk1 Sig zsk1 Sig zsk2 Zone data Zone data Zone data Sig zsk1 Sig zsk1 Sig zsk2 time At least TTL DNSKEY RRs NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  8. page 8 KSK rollover • You are dependent on your parent. – You cannot control when the parent changes the DS rr • Use the old KSK until the old DNS had time to propagate from caches NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  9. page 9 NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  10. KSK rollover page 10 Parent rolls DS1 DS2 dnssec-signzone -k ksk1 example.com zsk dnssec-signzone -k -k ksk2 example.com zsk dnssec-signzone -k ksk1 -k ksk2 example.com zsk Create ksk2 and Remove ksk1 send to parent ksk1 ksk1 ksk1 ksk2 ksk2 ksk2 zsk zsk zsk zsk Sig ksk Sig ksk1 Sig ksk1 Sig ksk2 Sig ksk2 Sig ksk2 Sig zsk Sig zsk Sig zsk Sig zsk Zone data Zone data Zone data Zone data Sig zsk Sig zsk Sig zsk Sig zsk time At least TTL DS RRs NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  11. page 11 Erratum • RFC4641 contains error in tables – Some space is lacking in the tables ---------------------------------------------------------------- initial new DNSKEY new RRSIGs DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 SOA3 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA3) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 DNSKEY11 RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG1(DNSKEY) RRSIG1 (DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) ---------------------------------------------------------------- NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Pre-Publish Key Rollover Labs

  12. page 12 ---------------------------------------------------------------- initial new DNSKEY DNSKEY removal ---------------------------------------------------------------- SOA0 SOA1 SOA2 RRSIG10(SOA0) RRSIG10(SOA1) RRSIG11(SOA2) RRSIG11(SOA1) DNSKEY1 DNSKEY1 DNSKEY1 DNSKEY10 DNSKEY10 DNSKEY11 DNSKEY11 RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG1(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) ---------------------------------------------------------------- Double Signature Zone Signing Key Rollover NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

  13. page 13 NLnet http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 Labs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in Todays Todays Internet Internet Why Why is is this this relevant? relevant? Because Because the root zone managers are preparing

788 views • 43 slides
Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may

377 views • 21 slides
*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com> *.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a user@fedoraproject.org

380 views • 12 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

775 views • 63 slides
DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

202 views • 19 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009 Manila, Philippines http://nsrc.org/tutorials/2009/apricot/dnssec/ Public-Private Keys Refresher Ciphers Ciphertext Symmetric Cipher /

465 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An

Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An

Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An information session for Superannuation Funds Trustees and Administrators Webinar: Unclaimed money, lost member and inactive low-balance account

513 views • 28 slides
Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

STATE TEACHERS RETIREMENT SYSTEM OF OHIO Employer Basics 101: Purchasing Service Credit and Leaves of Absence EMPLOYER EDUCATION Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To Use GoToWebinar

265 views • 9 slides
Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c

Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c

11/9/2007 Pro je c t 2A FIT100 FIT100 FIT100 FIT100 FIT100 FIT100 Write a pla nning do c ume nt Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c ume nt Sho w PE Sho w PE RT RT c

280 views • 3 slides
COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per adult and $500 per dependent child under age 17 Advanced credit determined based on 2019 return if it has been filed If 2019 return has

89 views • 5 slides
Professional Portfolio Selection Techniques: From Markowitz to Innovative Engineering

Professional Portfolio Selection Techniques: From Markowitz to Innovative Engineering

Massachusetts Institute of Technology Sponsor: Electrical Engineering and Computer Science Cosponsor: MIT Student Chapter of Institute of Electrical and Electronic Engineers Professional Portfolio Selection Techniques: From Markowitz to

1.74k views • 162 slides
Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu

Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu

Commission Br Commission Briefing on iefing on Equa Equal l Employmen Employment t Opportu Opportunity, nity, Diversity Diversity and and Small Business Small Business December 18, 2014 Advancing the Field James C. Corbett Acting

621 views • 41 slides
RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5

RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5

RF Developments Erk Jensen for BE-RF The global context From European Strategy update: From P5 report: d) T o stay at the forefront of particle physics, Europe needs to be in a position to propose an ambitious post-LHC accelerator project

735 views • 36 slides
The Nature of Probability The Nature of Probability y

The Nature of Probability The Nature of Probability y

Elementary Statistics Elementary Statistics A Step by Step Approach Dr. Saeed Alghamdi Sixth Edition Room 542 by by Allan G. Allan G. Bluman Bluman Statistics Department http://www.mhhe.com/math/stat/blumanbrief

525 views • 8 slides

More recommend