DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair - - PowerPoint PPT Presentation

dnssec trust anchor repositories tar update
SMART_READER_LITE
LIVE PREVIEW

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair - - PowerPoint PPT Presentation

Mar 28, 2024 198 likes •377 views

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

slide-1
SLIDE 1

DNSSEC Trust Anchor Repositories (TAR) Update

Russ Mundy Co-Chair DNSSEC Deployment Initiative

Russ.Mundy@cobham.com / mundy@sparta.com

www.dnssec-deployment.org

slide-2
SLIDE 2

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 2

DNSSEC Trust Anchors

  • Starting point for DNSSEC validation
  • Choice of trust anchors is a local decision

– Bad choice of trust anchors can completely undermine value of DNSSEC

  • In the absence of a valid secure delegation

from the parent zone to the child zone, a validator MUST have trust anchors for the child zone in order to be able to validate names from (and below) it.

slide-3
SLIDE 3

Number of Trust Anchors

Ideal: Entire DNS Tree is signed

Root Trust Anchor(s) Trust Anchors from Islands

  • f Trust

Reality: DNS Name Space is fragmented into a (potentially large) number of “islands of trust”

slide-4
SLIDE 4

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 4

(very quick) Background

DNSSEC Trust Anchor Repositories (TARs)

  • What are they?
  • Why would TARs be used?
slide-5
SLIDE 5

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 5

(very quick) Background (Cont.)

DNSSEC Trust Anchor Repositories (TARs)

  • What are they?

– Way to get trust anchors to validators – Validator gets multiple trust anchors by using a single TAR

slide-6
SLIDE 6

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 6

(very quick) Background (Cont.)

DNSSEC Trust Anchor Repositories (TARs)

  • Why would TARs be used?

– Facilitate DNSSEC Deployment by “filling holes in the hierarchy” – Used by ‘community of interest’ to provide their community needs (Not discussed further in this presentation)

slide-7
SLIDE 7

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 7

Trust Anchors from Islands

  • f Trust

TAR

Trust Anchor Repository (cont.)

slide-8
SLIDE 8

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 8

Pros & Cons: Very High-level Summary

  • Pros:

– “holes in the hierarchy” will persist for a long time – Provides method for any signed zone to be used by any validator – ...

  • Cons:

– Diverts/detracts effort from dnssec deployment – Lowers motivation for getting parent zones signed – ...

slide-9
SLIDE 9

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 9

TAR Discussion Venues

  • DNSSEC Deployment plenary telecons
  • DNSSEC Deployment mail list
  • ICANN meeting discussions
  • RIPE meetings
  • IETF meetings (note: NOT in

conjunction with any working group)

slide-10
SLIDE 10

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 10

TARs: Current Status

  • Limited consensus on TARs

– What should & should not be considered a DNSSEC TAR – Whether or not one or more DNSSEC TAR(s) are needed

slide-11
SLIDE 11

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 11

TARs: Current Status (Cont.)

  • By some definition for DNSSEC TAR, several

exist today:

– ICANN ITAR

https://itar.iana.org/

– ISC DLV

https://www.isc.org/solutions/dlv

– SecSpider

http://secspider.cs.ucla.edu/

– IKS Jena Survey

http://www.iks-jena.de/leistungen/dnssec.php

slide-12
SLIDE 12

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 12

TARs: Current Status (Cont.)

  • Some developing consensus on need

for DNSSEC TARs of some sort

– lack of consensus on what should - or should not - be considered a DNSSEC TAR

  • DNSSEC Deployment WG

– Plan to develop Best Current Practice type

  • f description for one or two ‘levels’ of

DNSSEC TAR – Document the details

slide-13
SLIDE 13

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 13

Some pointers to TAR material

  • TAR SONIC - Paper

http://www.dnssec-deployment.org/tar/tarpaper.pdf

presentation at ICANN 32

http://par.icann.org/files/paris/Mundy-tar-sonic.pdf

  • Challenges to DNSSEC Deployment (dnssec-

deployment mail list archive)

http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/1565-02-02-B/dnssec- confront-barriers.pdf

slide-14
SLIDE 14

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 14

More pointers to TAR material

  • SecSpider Presentation (dnssec-deployment

mail list archive) http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/1262-01-02- B/SecSpider-final-2008-04-02.pdf

  • TAR meeting notes from 25 Mar 09 (dnssec-

deployment mail list archive) http://mail.shinkuro.com:8100/Lists/dnssec- deployment/Message/2039.html?Language=

slide-15
SLIDE 15

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 15

Closing Thoughts

  • Folks who have thought about DNSSEC

TARs often think they know exactly what a TAR is (or is not) and are surprised when other people don't view TARs the same way!

  • Details of a TAR are important

– many people have different views of what the details of a DNSSEC TAR should be

slide-16
SLIDE 16

24 June 2009 mundy@sparta.com ICANN 35 - DNSSEC TAR Update 16

Contributions Welcome

  • Questions & Comments Today

(Time permitting)

  • Participate in the DNSSEC Deployment

mail list and plenary meetings

http://www.dnssec-deployment.org/