key roll issue
play

Key Roll issue Roy Arends, Nominet UK 1 September 10th 19:38:11 - PowerPoint PPT Presentation

Jan 27, 2024 •212 likes •374 views

Key Roll issue Roy Arends, Nominet UK 1 September 10th 19:38:11 2 2 kernel panic This was related to an HSM driver We were unable to reproduce the kernel panic Hardware failures happen That is why we over-provision 3 3 Critical, but

  1. Key Roll issue Roy Arends, Nominet UK 1

  2. • September 10th 19:38:11 2 2

  3. kernel panic This was related to an HSM driver We were unable to reproduce the kernel panic Hardware failures happen That is why we over-provision 3 3

  4. Critical, but no time pressure Not a time-critical system Two week signature expiry interval Two simple failover scenarios: Restart current signing system 4 4 Use active secondary signing system

  5. Scenario 1: Restart the system We have proper security hygiene We require presence of a Security Officer But... it was a friday evening There was no time pressure 5 5 And there was an alternative scenario...

  6. Scenario 2: Activate secondary system Runs independent of main signing system Pre-deployment checks Everything was ready to go But... it was a friday evening 6 6 And... there was still no time pressure

  7. Saturday 11 september 2010 Decided to make the secondary system active This would allow signing to continue This gave us time to fix main signing system No need for a Security Officer on-site 7 7 We started the signing system at 14:30

  8. Something was not quite right 8 8

  9. An unfortunate state Main and secondary did not use same ZSK Lead to some validation problems in the field Quickly resolved by flushing the validator cache Or wait until the key expires from the cache 9 9 This was unexpected and should not happen

  10. Analysis The Secondary system had a older ZSK Signed properly by the KSK It validates fine The KEYSET had a 48 Hour TTL Validators with keys from the main system could not validate signatures from the secondary 10 10 system

  11. Investigation OpenDNSSEC consists of two parts: Enforcer translates “policy” to configuration Signer uses that config to sign the UK zone Enforcer was unable to overwrite configuration 11 11 So the signer still uses the old ZSK

  12. Investigation Why has this not been flagged? We use the auditor to check the zone status We use ODS-HSMUTIL to list keys We use ODS-KSMUTIL to report policy 12 12 No checks if a file could be overwritten

  13. Additional Measures Updated our audit scripts to include caching and monitoring to signal overwrite failures TTL of the keyset down to 1 hour No Sec. Officer to restart main signing system 13 13

  14. Lessons learned you can not test for everything beforehand hardly anyone is validating DNSSEC yet problems get very quickly fairly public If you have this problem, have it on a weekend This was not an OpenDNSSEC issue 14 14

  15. Questions? roy@nominet.org.uk 15 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What can I do with a jelly roll? What is a jelly roll? 2 strips, usually 40 per pkg.,

What can I do with a jelly roll? What is a jelly roll? 2 strips, usually 40 per pkg.,

What can I do with a jelly roll? What is a jelly roll? 2 strips, usually 40 per pkg., showcasing a fabric collection (2.75 yards) First marketed by Moda in _____. Guess what year!!! Jelly Roll & Layer Cake are

340 views • 17 slides
HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is

HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is

HONOR ROLL D A V I N C I D E S I G N WHAT IS HONOR ROLL? Da Vinci Designs Honor Roll is an academic distinction given to students based on their grade point average Each academic year, based on your grades, you have the opportunity

748 views • 5 slides
th Gr rd Qu 6 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

th Gr rd Qu 6 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

Pre resents sents the he th Gr rd Qu 6 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll SY1920 Congratulations to all the 6 th grade scholars who received Honor Roll for the 3 rd Quarter. Honor nor Roll:

281 views • 14 slides
th Gr rd Qu 8 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

th Gr rd Qu 8 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

Pre resents sents the he th Gr rd Qu 8 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll SY1920 Congratulations to all the 8 th grade scholars who received Honor Roll for the 3 rd Quarter. Honor nor Roll:

572 views • 15 slides
th Gr rd Qu 7 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

th Gr rd Qu 7 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll

Pre resents sents the he th Gr rd Qu 7 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor Roll for the 3 rd Quarter. Honor nor Roll:

298 views • 16 slides
Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What

Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What

Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What number of users are at risk of being impacted by the KSK Roll? What we would like the DNS to be DNS Server C l ient DNS Resolver What we suspect is

557 views • 22 slides
Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor

Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor

Pre resents sents the he th Gr rd Qu 7 th Grad ade e Vi Virt rtual ual 3 rd Quar arter ter Hon Honor Roll or Roll SY1920 Congratulations to all the 7 th grade scholars who received Honor Roll for the 3 rd Quarter. Honor nor Roll:

175 views • 16 slides
Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the

Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the

Honor Roll & High Honor Roll in Our S econdary S chools January, 2013 Presentation to the Board of Education Todd Winch, Assistant Superintendent for Curriculum & Instruction Reasons for Honor Roll Recognize academic excellence

333 views • 6 slides
Th The Effect of f Contact Roller Topography on Cleanability in in Roll-to to-Roll l

Th The Effect of f Contact Roller Topography on Cleanability in in Roll-to to-Roll l

Th The Effect of f Contact Roller Topography on Cleanability in in Roll-to to-Roll l Manufacture Student: Dan Miszewski-Wall Supervisor: Professor Liam Blunt Project Brief Quantitatively evaluate the cleanability of several Teknek

641 views • 50 slides
Co-operative Groups Teachers roll Student roll Patience Work Together Facilitator

Co-operative Groups Teachers roll Student roll Patience Work Together Facilitator

Survivor Challenge Competition Co-operative Groups Teachers roll Student roll Patience Work Together Facilitator Contribute talents Keeping groups safe discipline Concern for Group members Guided Discovery Solve the problems

296 views • 8 slides
PRESENTATION AGENDA Issue #1 Concussions Issue #2 Antitrust Issue #3 Labor

PRESENTATION AGENDA Issue #1 Concussions Issue #2 Antitrust Issue #3 Labor

PRESENTATION AGENDA Issue #1 Concussions Issue #2 Antitrust Issue #3 Labor Negotiations ISSUE #1: CONCUSSIONS Background The NFL has been aware of concussions for the past 25 years, but since June 2007, it has become a

587 views • 32 slides
Roll-to-roll manufacture of organic transistors for low cost circuits Hazel Assender Dr Gamal

Roll-to-roll manufacture of organic transistors for low cost circuits Hazel Assender Dr Gamal

Roll-to-roll manufacture of organic transistors for low cost circuits Hazel Assender Dr Gamal Abbas, Ziqian Ding Department of Materials University of Oxford DALMATIAN TECHNOLOGY 1 1 21 st Sept 2011 Acknowledgements Bangor Leeds Prof

517 views • 17 slides
Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes

Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes

Oc Colorado 1640 1 Roll-to-roll print is growing Forecasted worldwide ES/LX/UV print volumes m2 printed (M) Source: IT Strategies WF Ink Jet Graphics Summary 2015 Turn-around times shorter than ever 24 48 hours 21% What percentage

492 views • 37 slides
Programming Languages Research Paper Submitted by: Amit Jaju-Roll no 16 Swarjit Das-Roll no 9

Programming Languages Research Paper Submitted by: Amit Jaju-Roll no 16 Swarjit Das-Roll no 9

Programming Languages Research Paper Submitted by: Amit Jaju-Roll no 16 Swarjit Das-Roll no 9 Introduction COBOL is a high-level programming language first developed by the CODASYL Committee ( Co nference on Da ta Sy stems L anguages) in 1960.

329 views • 8 slides
ALGOL [ ALGORITHMIC LANGUAGE ] Submitted By: Jaideep Jha Roll No. 17 Nikhil Kumar Roll No. 19

ALGOL [ ALGORITHMIC LANGUAGE ] Submitted By: Jaideep Jha Roll No. 17 Nikhil Kumar Roll No. 19

ALGOL [ ALGORITHMIC LANGUAGE ] Submitted By: Jaideep Jha Roll No. 17 Nikhil Kumar Roll No. 19 HISTORY ALGOL (ALGOrithmic Language) is one of several high level languages designed specifically for programming scientific computations. It

286 views • 5 slides
PROGRAMMING LANGUAGE ONE (PL/I) By: Ankit Jain, Roll no. 15 Amol Deodhar, Roll no. 25 History

PROGRAMMING LANGUAGE ONE (PL/I) By: Ankit Jain, Roll no. 15 Amol Deodhar, Roll no. 25 History

PROGRAMMING LANGUAGE ONE (PL/I) By: Ankit Jain, Roll no. 15 Amol Deodhar, Roll no. 25 History PL/1 was developed as an IBM product in the mid 1960's, and was originally named NPL (New Programming Language). The name was changed to PL/1 to avoid

57 views • 5 slides
Error Propagation Analysis for File Systems Cindy Rubio-Gonzlez, Haryadi S. Gunawi, Ben

Error Propagation Analysis for File Systems Cindy Rubio-Gonzlez, Haryadi S. Gunawi, Ben

Error Propagation Analysis for File Systems Cindy Rubio-Gonzlez, Haryadi S. Gunawi, Ben Liblit, Remzi H. Arpaci-Dusseau, and Andrea C. Arpaci-Dusseau University of Wisconsin-Madison PLDI09 ECS 289C Seminar on Program

554 views • 30 slides
Overwriting code in Drupal Vasile CHINDRIS vasi1186 d.o Why to overwrite? There is no

Overwriting code in Drupal Vasile CHINDRIS vasi1186 d.o Why to overwrite? There is no

Overwriting code in Drupal Vasile CHINDRIS vasi1186 d.o Why to overwrite? There is no magic solution that solves all our problems. We are not happy with the existing implementation. Wrap the current implementation. ...

981 views • 33 slides
Ministry of Forests, Lands & Natural Resource Operations ROAD LOAD RATING PROJECT 2011-12

Ministry of Forests, Lands & Natural Resource Operations ROAD LOAD RATING PROJECT 2011-12

Ministry of Forests, Lands & Natural Resource Operations ROAD LOAD RATING PROJECT 2011-12 Project Update July 10, 2012 Gary McClelland P.Eng. GOAL OF THE PRESENTATION Bring audience up to speed on what has been done up till now

741 views • 35 slides
S ite-S pecific S tochastic S tudy of Multiple Truck Presence on Highway Multiple Truck

S ite-S pecific S tochastic S tudy of Multiple Truck Presence on Highway Multiple Truck

S ite-S pecific S tochastic S tudy of Multiple Truck Presence on Highway Multiple Truck Presence on Highway Bridges Peter Morales Grad. Research Assist Mayrai Gindy Ph.D Principal Investigator Mayrai Gindy Ph D Principal Investigator 20 0

519 views • 25 slides
Revised Proposition J: Research to date and next steps APRIL 24, 2014 |SAN FRANCISCO ETHICS

Revised Proposition J: Research to date and next steps APRIL 24, 2014 |SAN FRANCISCO ETHICS

Revised Proposition J: Research to date and next steps APRIL 24, 2014 |SAN FRANCISCO ETHICS COMMISSION |REGULAR MEETING |AGENDA ITEM 4 PRESENTATION BY KYLE KUNDERT SENIOR POLICY ANALYST 1 Proposition J (Prop J) in California The

207 views • 6 slides
Coding Camp 2018 SUMMER CAMP Presented by Axiom Academy Hosted by Centennial Academy A chance

Coding Camp 2018 SUMMER CAMP Presented by Axiom Academy Hosted by Centennial Academy A chance

Teen Coding Camp 2018 SUMMER CAMP Presented by Axiom Academy Hosted by Centennial Academy A chance for teens to: Learn coding (Swift) Learn problem-solving skills Learn teamwork skills Make their own app Make new friends

698 views • 33 slides
You Build It, You Own It! Presented by: Sean Miller and

You Build It, You Own It! Presented by: Sean Miller and

AW21 DevOps Practices Wednesday, November 6th, 2019 3:00 PM You Build It, You Own It! Presented by: Sean Miller and Suresh Chellapilla Capital One Brought

628 views • 34 slides
Coding the Black Press: Integrating black newspapers as primary sources in the classroom Kristi

Coding the Black Press: Integrating black newspapers as primary sources in the classroom Kristi

Coding the Black Press: Integrating black newspapers as primary sources in the classroom Kristi Richard Melancon Mississippi College Theoretical Framework: Why study periodicals? P eriodical StudiesMargaret Beetham, A Magazine of Her Own?

343 views • 10 slides

More recommend