Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos - - PowerPoint PPT Presentation

rolling the root zone dnssec key signing key
SMART_READER_LITE
LIVE PREVIEW

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos - - PowerPoint PPT Presentation

Rolling the Root Zone DNSSEC Key Signing Key Presented by Carlos Martnez, on behalf of ICANN | 1 Motivation for the Talk ICANN is about to change an important configuration parameter in DNSSEC For a network DNS operator, this may


slide-1
SLIDE 1

| 1

Rolling the Root Zone DNSSEC Key Signing Key

Presented by Carlos Martínez, on behalf of ICANN

slide-2
SLIDE 2

| 2 | 2

Motivation for the Talk

¤ ICANN is about to change an important configuration

parameter in DNSSEC

¤ For a network DNS operator, this may create a need for

action

¤ This discussion is meant to inform: What is happening,

when, and what to do if troubleshooting is needed

slide-3
SLIDE 3

| 3 | 3

DNSSEC in the Root Zone

¤ DNSSEC in the Root Zone is managed by:

  • ICANN, as the IANA Functions Operator
  • Verisign, as the Root Zone Maintainer (RZM)

¤ In coordination with U.S. Department of Commerce’s

National Telecommunications and Information Administration (NTIA) per agreements

slide-4
SLIDE 4

| 4 | 4

DNSSEC Key Management in the Root Zone

¤ DNSSEC key management is divided into:

  • Key Signing Key (KSK), self-signs the key set
  • Zone Signing Key (ZSK), signs other zone data

¤ These roles are meaningful to the operators of signed

zones

  • The significance is that the roles are separated
slide-5
SLIDE 5

| 5 | 5

KSK and ZSK

¤ ICANN, as IANA Functions Operator, manages the KSK

  • Same KSK since operations began in 2010
  • The KSK signs the ZSK quarterly in a ceremony

¤ Verisign, as Root Zone Maintainer, manages the ZSK

  • ZSK is changed quarterly
slide-6
SLIDE 6

| 6 | 6

Activities Underway

¤ Extending signature durations

  • Recommendations in Root Server System Advisory

Committee’s (RSSAC) report on root zone TTLs (RSSAC003)

¤ The ZSK lengthening (visible late 2016)

  • Activity managed by Verisign, covered elsewhere

¤ The KSK changing (visible throughout 2017)

  • A new trust anchor is needed by all DNSSEC validating

DNS caches/clients

¤ Separate but coordinated activities

slide-7
SLIDE 7

| 7 | 7

Why Change the KSK?

¤ Primary reason – operational preparedness

  • KSK has no expiration date, currently no weakness
  • No key should live forever: bad crypto practice
  • DNSSEC Practice Statement states the key will be rolled
  • Prefer to exercise process in normal conditions
  • As opposed to abnormal, such as key compromise

¤ Big challenge

  • Involves countless/uncountable participants
  • No test environment can cover all possibilities
slide-8
SLIDE 8

| 8 | 8

The KSK Roll Plan Documents

¤ The plan consists of five documents:

  • 2017 KSK Rollover Operational Implementation Plan
  • 2017 KSK Rollover Systems Test Plan
  • 2017 KSK Rollover Monitoring Plan
  • 2017 KSK Rollover External Test Plan
  • 2017 KSK Rollover Back Out Plan

¤ The documents are available at:

https://www.icann.org/kskroll

slide-9
SLIDE 9

| 9 | 9

Communications Approach

¤ Target technical audiences performing DNSSEC

validation (e.g., Network Operating Groups)

  • How to participate in the KSK rollover

¤ Broader communication

  • General awareness, resources available

¤ Integrated communications approach

  • Traditional channel (email, presentations)
  • Social media (#KeyRoll)
  • Leverage ICANN staff and stakeholder groups
slide-10
SLIDE 10

| 10 | 10

Operational Implementation Plan Phases

¤ Preparation Phases

  • System engineering, KSK creation and replication
  • Little to no operational impact on Internet

¤ Automated Updates (RFC 5011) Phases

  • KSK-2017 (new) pre-published, signs DNSKEY set
  • KSK-2010 (current) is revoked

¤ Post Rollover Phases

  • Deletion of KSK-2010 from system
  • Project experiences documented
slide-11
SLIDE 11

| 11 | 11

Operational Implementation Plan Dates

¤ Plans publicly available from July 22, 2016 ¤ Key signing ceremonies

  • Q4 2016 ceremony (October 27): generate new KSK
  • Q1 2017 ceremony (February): KSK operationally ready

¤ DNS changes

  • New KSK in root zone on July 11, 2017
  • New KSK signs DNSKEY RRset beginning October 11, 2017
  • Current KSK revoked on January 11, 2018

(Timing contingent on successful ZSK size increase)

slide-12
SLIDE 12

| 12 | 12

Operational Implementation Plan Timeline

ZSK-q1 ZSK-q1 ZSK-…

post-publish

Slot 9 Slot 1 Slot 9 Slot 2…8 Slot 1

ZSK-q3

pre-publish

ZSK-q2 ZSK-…

pre-publish

ZSK-q3 ZSK-q3 ZSK-q2

post-publish

KSK-2010

publish+sign

KSK-2010

publish+sign

KSK-2017

publish

KSK-2017

publish+sign

Slot 2…8

ZSK-q2 KSK-2017

publish+sign

ZSK-q2

pre-publish

ZSK-q1

Slot 1 Slot 9

ZSK-q2 ZSK-q1

post-publish

KSK-2010

publish+sign

KSK-2017

publish

KSK-2017

publish+sign

KSK-2017

publish+sign

Phase D – Publication Phase E – Rollover Phase F – Revocation Slot 2…8

ZSK-q3 KSK-2017

publish+sign

KSK-2010

revoke+sign Delayed revocation

  • f KSK-2010

Second packet size increase First packet size increase Rollover

Phase C First SKR Phase B Replication Phase A Generation

First SKR with new KSK signed New KSK created in 1st KMF New KSK replicated to 2nd KMF

Slot 1…9 Slot 1…9 Slot 1…9

KSK-2010

publish+sign

KSK-2017

publish

KSK-2010

publish

KSK-2010

publish

KSK-2010

publish

2017 Q3 2017 Q4 2018 Q1 2017 Q2 2017 Q1 2016 Q4

slide-13
SLIDE 13

| 13 | 13

Systems Test Plan

¤ Testing internal systems for these components ¤ Key Management

  • Lifecycle

¤ Key Processing

  • Key Signing Request to Signed Key Response

¤ Trust Anchor Publication

  • Generation of the trust anchor file as formatted in

eXtensible Markup Language (XML)

slide-14
SLIDE 14

| 14 | 14

Monitoring Plan

¤ Automated monitoring involving

  • ICANN’s L-root server
  • Information Science Institute’s B-root server

¤ Looking for

  • Low-level fragmentation issues, indicating responses are

too large

  • Elevated query rates for the DNSKEY resource record set,

indicating misconfigured trust anchors

¤ Plus a means for ad hoc reporting

slide-15
SLIDE 15

| 15 | 15

External Test Plan

¤ Resources targeted for software developers

  • Two third-party “accelerated” RFC 5011 test environments

with accelerated clocks

  • http://toot-servers.net
  • http://keyroll.systems

¤ Resources more suitable for operators

  • “Real time” RFC 5011 test environment being developed

by ICANN

  • Roll a test zone trust anchor with actual 30-day Add Hold-

Down timer

slide-16
SLIDE 16

| 16 | 16

Back Out Plan

¤ Plan includes back out capability

  • If necessary, can stay in current state or back out at every

phase

  • Until old key revoked in Q1 2018

¤ Multiple back out DNSKEY Resource Record Sets

(RRsets) signed at each ceremony

  • Back out can be immediate
  • No need for extra key ceremony
slide-17
SLIDE 17

| 17 | 17

What You Need to Know

¤ Manage Your Trust Anchors

  • Be aware of your software tools for managing trust

anchors

  • Be aware of the new KSK

¤ When Events Happen

  • Keep an eye on dates
  • Be mindful of when changes are scheduled and monitor

appropriately

slide-18
SLIDE 18

| 18 | 18

Managing Trust Anchors

¤ Trust anchors are configured data in DNSSEC validators

  • If Automated Updates of DNSSEC Trust Anchors (RFC

5011) is enabled and working, the rollover is automatic

  • Otherwise manual intervention is required
  • Add the new KSK before October 11, 2017 (assuming all is
  • n track)
  • Remove the old KSK at a later date
slide-19
SLIDE 19

| 19 | 19

Planned KSK Rollover Dates

¤ Plans publicly available from July 22, 2016 ¤ Key signing ceremonies

  • Q4 2016 ceremony (October 27): generate new KSK
  • Q1 2017 ceremony (February): KSK operationally ready

¤ DNS changes

  • New KSK in root zone on July 11, 2017
  • New KSK signs DNSKEY RRset beginning October 11, 2017
  • Current KSK revoked on January 11, 2018

(Timing contingent on successful ZSK size increase)

slide-20
SLIDE 20

| 20 | 20

¤ Join the ksk-rollover@icann.org

mailing list:

  • https://mm.icann.org/listinfo/ksk-rollover

¤ Follow on Twitter

  • @ICANN
  • Hashtag: #KeyRoll

¤ Visit the web page:

  • https://www.icann.org/kskroll

For More Information

slide-21
SLIDE 21

| 21 | 21

Reach me at: Email: ksk-rollover@icann.org Website: icann.org/kskroll

Thank You and Questions

gplus.to/icann weibo.com/ICANNorg flickr.com/photos/icann slideshare.net/icannpresentations twitter.com/icann facebook.com/icannorg linkedin.com/company/icann youtube.com/user/icannnews

Engage with ICANN