managing the root ksk rollover step by step for operators
play

Managing the Root KSK Rollover, Step by Step for Operators Quickly - PowerPoint PPT Presentation

Dec 09, 2023 •10 likes •240 views

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @ ICANN.ORG Changed-by: carlos @ lacnic.net LACNIC 27 Foz do Iguassu 1 Agenda What is the problem here ? Some tools to check operation

  1. Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @ ICANN.ORG Changed-by: carlos @ lacnic.net LACNIC 27 – Foz do Iguassu 1

  2. Agenda • What is the problem here ? • Some tools to check operation • Notes for BIND • Notes for unbound March 20, 2017 2

  3. The Root Zone DNSSEC KSK ¤ The Root Zone DNSSEC Key KS Signing Key “ KSK ” is the top K most cryptographic key in the DNSSEC hierarchy ¤ Public portion of the KSK is configuration parameter in DNS validating revolvers DATA

  4. Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017

  5. Important Milestones Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication Now, onwards In-band ( Automated Updates ) Publication July 11, 2017 and onwards Sign (Production Use) October 11, 2017 and onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 from systems Dates TBD, 2018

  6. High-level steps • Prepare yourself – Learn and document your plan • Survey your network – Learn what you have to manage • Test your network – Verify your expectations • Set up monitoring – Impossible to manage what is not monitored • Do what needs to be done March 20, 2017 6

  7. Prepare Yourself • ICANN documentation – It starts here: https://www.icann.org/resources/pages/ksk- rollover – And here: http://www.lacnic.net/web/lacnic/key-signing-key – Do you use DNSSEC validation? Even if no, there might be side effects like IP fragmentation – Document your plans, know what you expect to expect and who to contact if help is needed • Mailing lists for those interested – https://mm.icann.org/mailman/listinfo/ksk-rollover – https://mm.icann.org/mailman/listinfo/root-dnssec- announce March 20, 2017 7

  8. Survey Your Network • Discover whether any servers are performing DNSSEC validation – A previous administrator may have turned it on • Discover whether servers are running on IPv6 – IPv6 fragmentation is different from IPv4 fragmentation • Discover what DNS software is in use, what version and how to re-configure it – DNS is "buried" in OS and application releases, not as obvious as it used to be – Version is important (again) as tools for managing DNSSEC trust anchors get exercised March 20, 2017 8

  9. What versions? • Newer versions are always better than older versions (minus bugs) – Functionality is added, improved tooling – Newer versions are not a MUST, recent older versions also work – The Automated Updates code has been stable for a few years, it's the debugging tools that improve • Mind the age of configuration files – Software updates may just replace binaries, make sure your hand-crafted configurations make use of new options and features – What is "old" depends on the software in use – This is chiefly a BIND concern due to its long history in operations March 20, 2017 9

  10. Test Yourself • Check for the ability to exchange large DNS messages: – http://keysizetest.verisignlabs.com/ – https://www.dns- oarc.net/oarc/services/replysizetest • Check whether your DNS tools can follow Automated Updates – https://automated-ksk-test.research.icann.org/ March 20, 2017 10

  11. Key Size Test March 20, 2017 11

  12. Key Size Test (ii)

  13. Set Up Monitoring • Pay (more) attention to – DNSSEC failures in DNS log messages • This may indicate trouble with configured trust anchors – Fragmented packets in the network • This may indicate trouble with large DNS messages – DNS recursive servers' trust anchor sets • Verify "it" is working • Monitor appropriately – Don't get overwhelmed by alerts (so they are ignored) – Don't take silence as "good", a monitor may fail! March 20, 2017 13

  14. Do What Needs to be Done • Follow your plan – Even if you don't DNSSEC validate • Watch for packet fragments – If you follow Automated Updates • Verify your server and configuration are set properly • Be sure you see the new KSK as trusted in August/September 2017 – If you opt to configure manually • Set up a plan to establish trust • Plan to update all servers March 20, 2017 14

  15. Retrieving the new KSK "manually" • To assist those opting out of Automated Updates – A python script called get_trust_anchor.py – https://github.com/iana-org/get-trust-anchor – Script generates files which can be used to configure servers – Script is an example of how to evaluate trust March 20, 2017 15

  16. Notes for BIND • Check configuration – If you validate, don't use "trusted-keys" option – Replace it with "managed-keys" • Learn diagnostic tools – rndc "secroots" (in version 9.9 and maybe earlier) – rndc "managed-keys status" (from version 9.11) – file managed-keys.bind • Configure managed-keys March 20, 2017 16

  17. Bad dog! (Apologies to Geoff Huston) or "yes" • options { dnssec-validation auto;}; • trusted-keys { . 257 3 8 "AwEAAag ... +Uk1ihz0=";}; March 20, 2017 17

  18. Good dog! (Apologies to Geoff Huston) • options { dnssec-validation auto;}; • managed-keys { . initial-key 257 3 8 "AwEAAag ... +Uk1ihz0=";}; March 20, 2017 18

  19. Better dog! (Apologies to Geoff Huston) • All you need in named.conf is: • options { dnssec-validation auto;}; March 20, 2017 19

  20. BIND & the automated updates testbed • Sign up for the mailed instructions via – https://automated-ksk-test.research.icann.org/ • A "sample" configuration is: options { dnssec-validation auto;}; managed-keys { 2017-03-05.automated-ksk- test.research.icann.org initial-key 257 3 8 "AwEAAa9qsSLDI....wuKupscP8KHBluZyOSK w4RMTk6YBdE="; }; March 20, 2017 20

  21. What to expect • A file called "managed-keys.bind" which lists keys trusted or in the automated updates process • rndc – "secroots" dumps named.secroots, the trust anchors • rndc – "managed-keys" (in 9.11) lists automated- update status of key • If a key is in managed-keys.bind but not listed in named.secroots, it is likely in the addpend state (see RFC 5011) March 20, 2017 21

  22. Notes for unbound • To add a managed root trust anchor: – auto-trust-anchor-file: "root.key" • And in the file "root.key" – Place a DS or DNSKEY record for the current appropriate trust anchor – E.g. – . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia...+Uk1ihz0= – This file will be rewritten by unbound, if not there's a problem! • For manual management – unbound-anchor is a tool to get and evaluate the current trust anchors published via the web March 20, 2017 22

  23. ¡Muchas gracias!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

a i a j a i , a j a j , a i min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A parallel compare-exchange operation. Processes P i and P j send their elements to each other. Process P i keeps min { a i ,

372 views • 22 slides
Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all customary information forms to Preparation and adoption of Convening and submission Submission of Application Ste land owned by ILG obtain

1.23k views • 4 slides
Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by step procedures Webster Groves School District 2009 Response to Intervention (RtI) is a comprehensive early detection and prevention strategy

688 views • 23 slides
o o o o Step 1:

o o o o Step 1:

o o o o Step 1: Bachelor of Laws (Western Sydney School of Law) Step 2: Professional Legal Training (College of Law et ors) Step 3: Admission to the Supreme

366 views • 14 slides
Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD., DTM&H., MCTM. Surveillance and Investigation Section Bureau of Epidemiology, Department of Disease Control Ministry of Public Health, Thailand

1.27k views • 83 slides
Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3: Installing RSBlog! 3.1 Installing the component 3.2 Installing a new language file Step 4: Import plugins (optional) 4.1 Import Joomla! articles

889 views • 67 slides
Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! Step 5: Add user permissions Step 6: Create event categories Step 7: Create event locations Step 8:

627 views • 35 slides
FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

Co-funded by the Horizon 2020 Framework Programme of the European Union Grant Agreement Number 644771 FROM XML TO RDF STEP BY STEP: APPROACHES

613 views • 26 slides
FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH GRADE AUGUST 10,2020 IS A MINIMUM DAY STUDENTS WILL LOG 7:45AM - ONTO THEIR 12:27PM CLASSES AND ENGAGE WITH THEIR TEACHERS AND PEERS STEP 1:

276 views • 6 slides
Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Type Theory and Coq Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big step specify how a given expression can be evaluated to its final value. The style is simple and natural for many purposes and is

196 views • 19 slides
Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading RSTickets!Pro 2.1 Downloading the component 2.2 Downloading the plugins/modules 2.3 Downloading additional language packs Step 3: Installing RSTickets!Pro

548 views • 44 slides
Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step 4: RSMail! settings Step 5: Add Subscribers 5.1. Create subscriber lists 5.2. Add subscribers 5.2.1 Manual add 5.2.2 Import from CSV Step 6

625 views • 14 slides
Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3:

Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3:

Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3: Installing RSComments! Step 4: Configure RSComments 4.1 General Configuration 4.2 Configure comments Step 5: Add user permissions Step 6: Moderate

337 views • 8 slides
Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step

Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step

Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! 4.1 General settings 4.2 Dashboard settings 4.3 Events 4.3.1 Event general settings 4.3.2

1.29k views • 80 slides
WAYNE METALS SPECIFIC TOOLS Problem Solving & Root Cause Analysis 8-STEP PDCA PROCESS

WAYNE METALS SPECIFIC TOOLS Problem Solving & Root Cause Analysis 8-STEP PDCA PROCESS

WAYNE METALS SPECIFIC TOOLS Problem Solving & Root Cause Analysis 8-STEP PDCA PROCESS Introduced to Wayne Metals by Toyota Industrial Equipment INTERNAL DEFECT COUNTERMEASURE LOG Follow 8-Step Memo #124 STANDARDIZATION/ YOKOTEN START

751 views • 40 slides
Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the

Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the

Start.COOP A STEP-BY-STEP TOOL TO START-UP A COOPERATIVE The Modules Decision Tree and the Start.C OO P Modules The Training Guide Format Signs and their Meaning Roles of organizing group Activity 2B: Identifying root causes and effects

585 views • 22 slides
The Unicorn Project And The Five Ideals Session ID: @RealGeneKim

The Unicorn Project And The Five Ideals Session ID: @RealGeneKim

The Unicorn Project And The Five Ideals Session ID: @RealGeneKim My Definition of DevOps The architecture, technical practices, and cultural norms that enable us to increase our ability to deliver

1.48k views • 104 slides
Problem sets Dr Andreas Krause Instructions These three problem sets are representative of

Problem sets Dr Andreas Krause Instructions These three problem sets are representative of

BSc (Hons) Economics BSc (Hons) Economics and Politics BSc (Hons) Economics and International Development Department of Economics ES30089 Economics of Banking Problem sets Dr Andreas Krause Instructions These three problem sets are

107 views • 6 slides
Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18

Demo: BGP Path Hijacking Vimal Stanford University August 18 th 2014 Goals of the Assignment Understand how BGP path hijacking aGacks might happen in

322 views • 11 slides
Show of Hands Should I skip the intro? History of Bitcoin 2009 Satoshi Nakamoto

Show of Hands Should I skip the intro? History of Bitcoin 2009 Satoshi Nakamoto

18 th Monthly Meetup Thursday, August 24 | UST Global, Trivandrum Show of Hands Should I skip the intro? History of Bitcoin 2009 Satoshi Nakamoto Bitcoin Cryptocurrency Blockchain Blockchain: Definition A

830 views • 26 slides
Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side Rear Other 39% N=32,335 Source: 2002 FARS Side-impact Crashes (non-rollover) by Crash Partner Passenger Cars Other 19% 21% Narrow Objects

708 views • 4 slides
Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

434 views • 24 slides
On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan Capkun Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2 Importance of Secure

807 views • 52 slides
COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per adult and $500 per dependent child under age 17 Advanced credit determined based on 2019 return if it has been filed If 2019 return has

89 views • 5 slides

More recommend