rolling rolling the the root root
play

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use - PowerPoint PPT Presentation

Apr 04, 2023 •355 likes •788 views

Rolling Rolling the the Root Root Geoff Huston APNIC Use Use of of DNSSEC DNSSEC in in Todays Todays Internet Internet Why Why is is this this relevant? relevant? Because Because the root zone managers are preparing

  1. Rolling Rolling the the Root Root Geoff Huston APNIC

  2. Use Use of of DNSSEC DNSSEC in in Today’s Today’s Internet Internet

  3. Why Why is is this this relevant? relevant?

  4. Because… Because… the root zone managers are preparing to roll the DNS Root Zone Key Signing Key (and this may break your DNS service!) 4

  5. Five Five Years Years Ago Ago…

  6. Five Five Years Years Ago… Ago…

  7. ZSK? ZSK? – Zone Signing Key – Used to generate the digital signature RRSIG records in the root zone – The ZSK is rolled regularly every quarter – The DNSKEY record for the ZSK is signed by the KSK

  8. KSK? KSK? • The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone – The Zone Signing Key (ZSK) signs the individual root zone entries • The KSK Public Key is used as the DNSSEC Validation trust anchor – It is copied everywhere as “configuration data” – Most of the time the KSK is kept offline in highly secure facilities

  9. The The Eastern Eastern KSK KSK Repository Repository

  10. The The Western Western KSK KSK Repository Repository El Segundo, California *

  11. The The Ultra Ultra Secret Secret Third Third KSK KSK Repository Repository in in Amsterdam Amsterdam

  12. The The Cast Cast of of Actors Actors • Root Zone Management Partners: – Internet Corporation for Assigned Names and Numbers (ICANN) – National Telecommunications and Information Administration, US Department of Commerce (NTIA) – Verisign • External Design Team for KSK Roll

  13. Approach Approach • ICANN Public Consultation – 2012 • Detailed Engineering Study - 2013 • SSAC Study (SAC-063) - 2013 • KSK Roll Design Team - 2015

  14. 2015 2015 Design Design Team Team Milestone Milestones • January – June: Study, discuss, measure, ponder, discuss some more • August – Present a draft report for ICANN Public Comment https://www.icann.org/public-comments/root-ksk-2015-08-06-en (comment close 5 th October 2015) • October – Prepare final report • Pass to the Root Zone Management Partners who then will develop an operational plan and execute

  15. Rolling Rolling the the KSK? KSK? • All DNS resolvers that perform validation of DNS responses use a local copy of the KSK • They will need to load a new KSK public key and replace the existing trust anchor with this new value at the appropriate time • This key roll could have a public impact, particularly if DNSSEC-validating resolvers do not load the new KSK

  16. Easy, Easy, Right? Right? • Publish a new KSK and include it in DNSKEY responses • Use the new KSK to sign the ZSK, as well as the old KSK signature – Resolvers use old-signs-over-new to pick up the new KSK, validate it using the old KSK, and replace the local trust anchor material with the new KSK • Withdraw the old signature signed via the old KSK • Revoke the old KSK

  17. The The RFC5011 RFC5011 Approach Approach

  18. The The RFC5011 RFC5011 Approach Approach

  19. But But that that was was then… then… And this is now: – Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) – And now we all support RFC5011 key roll processes – And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root

  20. But But that that was was then… then… And this is now: – Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) – And now we all support RFC5011 key roll processes – And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root

  21. What What we we all all should should be be concerned concerned about… about… That resolvers who validate DNS responses will fail to pick up the new DNS root key automatically – i.e. they do not have code that follows RFC5011 procedures for the introduction of a new KSK The resolvers will be unable to receive the larger DNS responses that will occur during the dual signature phase of the rollover

  22. Technical Technical Concerns Concerns • Some DNSSEC validating resolvers do not support RFC5011 – How many resolvers may be affected in this way? – How many users may be affected? – What will the resolvers do when validation fails? • Will they perform lookup ‘thrashing’ – What will users do when resolvers return SERVFAIL? • How many users will redirect their query to a non-validating resolver

  23. Technical Technical Concerns Concerns • Some DNSSEC validating resolvers do not support RFC5011 – How many resolvers may be affected in this way? – How many users may be affected? – What will the resolvers do when validation fails? • Will they perform lookup ‘thrashing’ – What will users do when resolvers return SERVFAIL? • How many users will redirect their query to a non-validating resolver

  24. Some Some Observatio Observations ns - 1 There is a LOT of DNSSEC validation out there – 87% of all queries have DNSSEC-OK set – 33% of all DNSSEC-OK queries attempt to validate the response – 30% of end users are using DNS resolvers that will validate what they are told – 15% of end users don’t believe bad validation news and turn to other non-validating resolvers when validation fails.

  25. Some Some Observatio Observations ns - 2 The larger DNS responses will probably work – The “fall back to TCP” will rise to 6% of queries when the response size get to around 1,350 octets – And the DNS failure rate appears to rise by around 1 - 2 % – BUT .org has been running its DNSKEY response at 1,650 octets and nobody screamed failure! – So it will probably work

  26. Some Some Observatio Observations ns - 3 We can’t measure automated key take up – We can’t see how many resolvers fail to use RFC5011 notices to pick up the new KSK as a Trust Anchor in advance – We will not know how many “new’ resolvers appear in the 30 day holddown period – We will only see this via failure on key roll

  27. Where Where are are we? we? • A key roll of the Root Zone KSK will cause some resolvers to fail: – Resolvers who do not pick up the new key in the manner described by RFC5011 – Resolvers who cannot receive a DNS response of ~1,300 octets • Many users who use these failing resolvers will just switch over to use a non-validating resolver • A small pool of users will be affected with no DNS

  28. KSK KSK Design Design Team Team A report from the design team that was completed in December 2015… But publication is still forthcoming The report contains the following recommendations:

  29. Design Design Team Team Recommend Recommendat ation ions 29

  30. Recommenda Recommendatio tions ns (cont cont) 30

  31. Recommenda Recommendatio tions ns (cont cont) 31

  32. Recommenda Recommendatio tions ns 32

  33. Recommenda Recommendatio tions ns (cont cont) It ’ s now early March 2016 and the Design Team report has not been published, so this proposed timetable may no longer be achievable L 33

  34. What What can can I I do? do? Check your recursive resolver config! 34

  35. Good Good Dog! Dog! # // recursive resolver configuration - Bind … managed-keys { . initial-key 257 3 5 "AwEAAfdqNV JMRMzrppU1WnNW0PWrGn4x9dPg … =„; }; 35

  36. Bad Bad Dog! Dog! # // recursive resolver configuration - Bind … trusted-keys { . 257 3 5 "AwEAAfdqNV JMRMzrppU1WnNW0PWrGn4x9dPg … =„; }; 36

  37. Questions? Questions?

  38. Comments/D Comments/Disc iscus ussio sion n points points - 1 Why Now? What is the imperative to roll the key now? Could we use more time to improve preparedness for this roll? For example, could we use further time to introduce some explicit EDNS(0) signalling options in resolvers to expose RFC5011 capability? 38

  39. Comments Comments - 2 Measuring and Testing? What measurements are planned to be undertaking during the key roll process? What are the threshold metrics for proceeding to the next phase? What is the threshold metric to proceed with the revocation of the old KSK? 39

  40. Comments Comments - 3 Algorithm Change The report’s language around the potential for algorithm change is unclear. There appears to be a strong bias to retention of RSA as the KSK algorithm, despite evidence that ECDSA is both shorter and potentially faster to compute. Whilst the report argues for a reduced risk of large packets, it doesn’t clearly explain why larger RSA-based DNS response payloads would be preferable to smaller ECDSA DNS response payloads. 40

  41. Comments Comments - 4 Scheduling The report notes as a constraint that a key roll must be aligned with existing Quarter and 10-day periods used in existing processes. This has the potential consequence of scheduling the critical change in the root zone on a weekend, or on a major public holiday. Why? 41

  42. Comments Comments - 5 Serialization The report assumes a single new KSK. What are the issues of introducing 2 or even 3 new KSKs at this point? 42

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN |

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may

377 views • 21 slides
PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO

Mario Vuksan & Tomislav PericinBlackHat USA 2013, Las Vegas PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO CONTINUE: PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO PRESS ROOT TO CONTINUE: CONTINUE: CONTINUE: CONTINUE:

690 views • 45 slides
Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key

Certicate Transparency Root Explorer Nikita Korzhitskii Niklas Carlsson Web Public Key Infrastructure (WebPKI) Root certificates of trusted Certificate Authorities e.g. GlobalSign Root CA, Amazon Root CA, GoDaddy Root CA Root 1 Root 2

347 views • 19 slides
2017 Water Cruise: Update on Copper dataset and Rolling Averages Calculating 3-Event Rolling

2017 Water Cruise: Update on Copper dataset and Rolling Averages Calculating 3-Event Rolling

2017 Water Cruise: Update on Copper dataset and Rolling Averages Calculating 3-Event Rolling Averages As part of the site-specific objectives (SSO), NPDES dischargers are required to calculate the 3-event rolling average of dissolved

627 views • 8 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to

Root Cause Analysis 1 Root Cause Analysis Root Cause Analysis is a method that is used to address a problem or non-conformance, in order to get to the root cause of the problem. It is used so we can correct or eliminate the cause,

389 views • 28 slides
BLS ROLLING MILL & MELTSHOP TECHNOLOGIES Rolling Mill & Meltshop Technologies A leading

BLS ROLLING MILL & MELTSHOP TECHNOLOGIES Rolling Mill & Meltshop Technologies A leading

BLS ROLLING MILL & MELTSHOP TECHNOLOGIES Rolling Mill & Meltshop Technologies A leading provider company of; Turn-Key Facility Projects, Renovation projects, Revamping / Upgrading projects, Production of complete MELTSHOPS

1.06k views • 71 slides
Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of

Quantum Mechanics Quantum Logic Alternative Quantum . . . Square Root of Not: . . . Square Root of Not: Square Root of Not: . . . A Major Difference Between Square Root of Not Is . . . Why Factoring Large . . . Fuzzy and Quantum

381 views • 17 slides
Timeline for AQ Activities 1 st Jan - SMP AQ Calculation (rolling AQ) * 1 st Dec - Snapshot for

Timeline for AQ Activities 1 st Jan - SMP AQ Calculation (rolling AQ) * 1 st Dec - Snapshot for

Timeline for AQ Activities 1 st Jan - SMP AQ Calculation (rolling AQ) * 1 st Dec - Snapshot for Formula Year AQ Value * 1 st Feb - SMP AQ Calculation December J a n (rolling AQ) u a r y * Supply Meter Point AQ will calculate if a

277 views • 4 slides
Rolling Resistance Influence on Fuel Consumption Decrease of tires Rolling Resistance by 10%

Rolling Resistance Influence on Fuel Consumption Decrease of tires Rolling Resistance by 10%

Technical University of Gdansk, Poland Rolling Resistance Influence on Fuel Consumption Decrease of tires Rolling Resistance by 10% results in approximately 3% reduction of fuel consumption Number of vehicles in Poland - 15 000 000, in USA

355 views • 21 slides
Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter

Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter

Getting the most out of the ROOT tutorials Automated conversion from ROOT macros to Jupyter notebooks Pau Miquel, Summer 2016 Supervisors: Pere Mat, Danilo Piparo 1 / 24 Outline 1. Overview 2. ROOT Tutorials 3. Conversion a. Steps

746 views • 30 slides
Rolling stock technical forum Standards development Michael Uhlig, Lead Engineer Rolling Stock,

Rolling stock technical forum Standards development Michael Uhlig, Lead Engineer Rolling Stock,

Rolling stock technical forum Standards development Michael Uhlig, Lead Engineer Rolling Stock, ASA November 2015 Presentation heading Sub-heading | 1 Welcome Administrative issues Attendance sheet Mobile phones to silent please

1.09k views • 65 slides
Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the

Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the

Thoughts on F-Root Futures Jeff Osborn President, Internet Systems Consortium Whats the Point? What is a root server? Root server traditions Current root server realities Post mortem of root attacks New root server

448 views • 11 slides
ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J.

ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J.

Introduction Functionality Examples Summary ROOT4J / SPARK-ROOT: ROOT I/O for JVM and Applications for Apache Spark V. Khristenko 1 J. Pivarski 2 1 Department of Physics The University of Iowa 2 Princeton University - DIANA ROOT I/O Workshop,

544 views • 19 slides
Contents Section Rolling Mod.&Sim.of Met.&Mat.Process History and Overview 1 MET 346E

Contents Section Rolling Mod.&Sim.of Met.&Mat.Process History and Overview 1 MET 346E

28.04.2015 Contents Section Rolling Mod.&Sim.of Met.&Mat.Process History and Overview 1 MET 346E Section Rolling 2 Birsen Ba Can nal Basic Equipments 3 Tuncay akmak Can Berk algam Simulation Bayu Ongunyurt 4 Mehmet

336 views • 12 slides
Rolling Bones Club Events Club Events: from fairs to public speaking Rolling Bones 4-Hers

Rolling Bones Club Events Club Events: from fairs to public speaking Rolling Bones 4-Hers

Rolling Bones Club Events Club Events: from fairs to public speaking Rolling Bones 4-Hers participate in: Dog Events: All About the Dogs Weekend Training Meetings Club Events Fairs Eastern States Exposition Games Night

361 views • 13 slides
NASHOBA Introducing Honor Roll 2014 What do we have now Different at Different at Confusion

NASHOBA Introducing Honor Roll 2014 What do we have now Different at Different at Confusion

NASHOBA Introducing Honor Roll 2014 What do we have now Different at Different at Confusion as to Confusion as to Different at Different at each middle each middle how it is how it is High School High School school school

446 views • 11 slides
Monthly Statewide CAM Call-in September 19, 2018 If you are not connected through Join by phone

Monthly Statewide CAM Call-in September 19, 2018 If you are not connected through Join by phone

CAM.oregon.gov 9/19/18 cam.communications@state.or.us Monthly Statewide CAM Call-in September 19, 2018 If you are not connected through Join by phone +1 (503) 934-1400 Conference ID: 916394 1 CAM.oregon.gov cam.communications@state.or.us

258 views • 9 slides
POLICY TOPIC RECOMMENDATION Policy Topic What are the significant barriers or challenges to

POLICY TOPIC RECOMMENDATION Policy Topic What are the significant barriers or challenges to

POLICY TOPIC RECOMMENDATION Policy Topic What are the significant barriers or challenges to access to oncology care if you are uninsured, underinsured, on public or private insurance? What are the significant barriers or challenges to access

277 views • 4 slides
Dont make the same mistake twice! Avoiding repeat violations of Reliability Standards 17

Dont make the same mistake twice! Avoiding repeat violations of Reliability Standards 17

Dont make the same mistake twice! Avoiding repeat violations of Reliability Standards 17 November 2010 www.morganlewis.com www.ey.com Welcome to Dont Make the Same Mistake Twice! Avoiding Repeat Violations of Reliability Standards

681 views • 28 slides
CalTREES California Timber Regulation and Environmental Evaluation System (Online Submission of

CalTREES California Timber Regulation and Environmental Evaluation System (Online Submission of

CalTREES California Timber Regulation and Environmental Evaluation System (Online Submission of Harvesting Documents) Public Workshop for Harvest Document Search and Review October 22, 2018 Presentation Overview Greetings and Introduction

328 views • 15 slides
Washoe County FY16-18 Strategic Planning Implementation & Rollout July 14, 2015 Board of

Washoe County FY16-18 Strategic Planning Implementation & Rollout July 14, 2015 Board of

Washoe County FY16-18 Strategic Planning Implementation & Rollout July 14, 2015 Board of County Commission Meeting Planning Process Overview Assess Current State Set Strategic Direction Build the Plan Manage Performance (Phase 1)

328 views • 10 slides
Rollback-Free Value Predic2on with Approximate Loads Bradley

Rollback-Free Value Predic2on with Approximate Loads Bradley

Rollback-Free Value Predic2on with Approximate Loads Bradley Thwaites Gennady Pekhimenko Amir Yazdanbakhsh Jongse Park Girish Mururu Hadi Esmaeilzadeh

355 views • 7 slides
Williamson County Effective and Rollback Tax Rates Tax Year 2016 What has changed?

Williamson County Effective and Rollback Tax Rates Tax Year 2016 What has changed?

Williamson County Effective and Rollback Tax Rates Tax Year 2016 What has changed? Certified value increase of almost $4.97 B over LY $50.861 Billion Value under protest increased by $553 M over LY $1.559 Billion New Imp

93 views • 6 slides

More recommend