root zone ksk rollover update
play

Root Zone KSK Rollover update Roy Arends Principal Research - PowerPoint PPT Presentation

Sep 30, 2023 •184 likes •434 views

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

  1. Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1

  2. The KSK rollover has happened! ¤ The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018 with the publication of a root zone with KSK-2017 signing the root zone DNSKEY RRset for the first time. | 2

  3. Timeline of events (UTC) 13:00 Root Zone Management Partners join conference bridge ¤ 13:00 Verisign generates root zone file ¤ 13:15 Verisign inspects root zone file ¤ 13:30 Verisign sends root zone file to ICANN ¤ 13:30 ICANN inspects root zone file ¤ 15:30 ICANN Go/No-go call ¤ 15:45 ICANN approves the zone for publication ¤ 15:45 Verisign reminds root server operators of scheduled zone push ¤ 16:00 Verisign approves root zone file push ¤ 16:05 Verisign informs root server operators zone file has pushed ¤ | 3

  4. Amsterdam team | 4

  5. Monitoring: ./IN/DNSKEY queries at the root (just before the roll) | 5

  6. Monitoring: ./IN/DNSKEY queries at the root (48 hours after the roll) | 6

  7. Analysis of DNSKEY queries Testing proved that stale trust anchors cause an increase in DNSKEY ¤ queries OCTO compared DNSKEY query behavior before and after the roll ¤ October 10 and 14 ¡ We’ve observed a total of 1,091,215 unique resolvers asking for a ¤ DNSKEY over four days 155,117 unique resolvers observed on both 10 October and 14 October ¤ 85,531 resolvers sent a DNSKEY request at least once a day between ¡ the 10 October and 14 October Vantage point was IMRS/L-root ¡ Resolvers might talk to other root letters ¡ OCTO tracked each of the 155,117 resolvers for change in query behavior ¤ | 7

  8. DNSKEY queries (10 October vs. 14 October) | 8

  9. DNSKEY scatter plot ¤ The X axis represents query volume on 10 October in log scale ¤ The Y axis represents query volume on 14 October in log scale ¤ Each blue dot represents an observed resolver, plotted (X,Y) on the graph ¤ Expected behavior is in the green diagonal band, showing changes within the same order ¤ Anything above the green band is O(1) increased query volume ¤ Anything below the green band is O(1) decreased query volume ¤ The red represents an unexpected clustering that we’re actively investigating | 9

  10. Resolvers per order change | 10

  11. Resolvers per order change The X axis represents buckets of “volume order change” ¤ The Y axis represents the number of resolvers in a bucket ¤ The bulk of resolvers lie between -1 and 1 ¤ Less than an order of magnitude change in the number of queries ¡ issued Between -1 and 1: 148,502 resolvers or 95.7% of the total observed ¤ Relatively little change in volume ¡ Great than 1: 2,084 resolvers or 1.34% of the total observed ¤ They see their volume increase significantly ¡ Less than -1: 4,531 or 2.92% of the total observed ¤ They see their volume decrease significantly ¡ | 11

  12. root-trust-anchor-reports.research.icann.org | 12

  13. Known issues ¤ Only one very minor report of trouble to ICANN ¤ A small number of reports of issues (<10) via Twitter, mailing lists and operational forums ¤ Mostly individual administrators relating minor issues ¤ No reports of significant number of issues affected ¤ Two outages may potentially be the result of the KSK rollover. We are trying to reach the ISPs involved to get more information. ¤ eir (Irish ISP): https://www.rte.ie/news/2018/1013/1002966-eir- outage/ ¤ Consolidated Communications (Vermont, US ISP): https://www.wcax.com/content/news/Consolidated-Communications- scrambles-to-fix-Vt-internet-outage-497030071.html | 13

  14. The KSK revoke has happened! ¤ The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018 with the publication of a root zone with KSK-2017 signing the root zone DNSKEY RRset for the first time. ¤ The KSK revoke occurred on time as planned at 1400 UTC on 11 January 2019 with the publication of a root zone with KSK-2010 marked as revoked. | 14

  15. Monitoring: ./IN/DNSKEY queries at the root (48 hours after the revoke) | 15

  16. DNSKEY queries (14 October vs. 14 January) | 16

  17. DNSKEY queries (11 October vs. 14 January) | 17

  18. DNSKEY queries (10 January vs. 14 January) | 18

  19. DNSKEY queries (10 January vs. 14 January) | 19

  20. Monitoring: ./IN/DNSKEY queries at the root (48 hours after the revoke) | 20

  21. Monitoring: ./IN/DNSKEY queries at the root (now) | 21

  22. root-trust-anchor-reports.research.icann.org | 22

  23. Upcoming milestones ¤ Q4 Root KSK Ceremony ¤ Signatures are generated in advance that, when published, will revoke KSK- 2010 via the RFC 5011 automated update protocol ¤ 11 January 2019 ¤ The root zone is published with the RFC 5011 revoke bit set on KSK-2010 ¤ 22 March 2019 ¤ The root zone is published without KSK-2010 for the first time ¤ Only KSK-2017 remains published ¤ Q3 Root KSK Ceremony ¤ KSK-2010 is deleted from the HSMs in the U.S. East Coast Key Management Facility ¤ Q4 Root KSK Ceremony ¤ KSK-2010 is deleted from the HSMs in the U.S. West Coast Key Management Facility | 23

  24. More maintenance is needed ¤ The community has highlighted the desire to roll the key regularly ¤ Extremes are: every three months … only when there is a need. ¤ The community has highlighted the desire for a standby-key ¤ This makes sure that DNSSEC deployment follows RFC5011 spec. ¤ The community has highlighted the desire for an algorithm rollover ¤ We need to know how to do it, in case RSA becomes weak. ¤ All of the above are related, and each is a significant amount of work. ¤ We are listening, tell us your thoughts and join the discussions at ksk-rollover@icann.org | 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root

558 views • 13 slides
ccNSO IANA Update ICANN Singapore, June 2011 Kim Davies Manager, Root Zone Services Internet

ccNSO IANA Update ICANN Singapore, June 2011 Kim Davies Manager, Root Zone Services Internet

ccNSO IANA Update ICANN Singapore, June 2011 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names &amp; Numbers Agenda Root Zone Management System Business Excellence Improvements to delegation and

553 views • 32 slides
2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model

Root zone scalability model Bart Gijsen October 28, 2009 Root zone scalability model Introduction Development of the model by TNO as part of the Root Scalability Study Team Why quantify? Scalability is a quantitative topic

674 views • 18 slides
2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

720 views • 36 slides
Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides a superior product, and 3. much less expensive 3 Student Rollover So, Im wondering why are we still using these? NEW SLIDE 1. Hard to use,

734 views • 22 slides
Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @

Managing the Root KSK Rollover, Step by Step for Operators Quickly spun by Edward.Lewis @ ICANN.ORG Changed-by: carlos @ lacnic.net LACNIC 27 Foz do Iguassu 1 Agenda What is the problem here ? Some tools to check operation

240 views • 23 slides
IANA Update for TLD operators Sydney, Australia June 2009 Kim Davies Manager, Root Zone

IANA Update for TLD operators Sydney, Australia June 2009 Kim Davies Manager, Root Zone

IANA Update for TLD operators Sydney, Australia June 2009 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names &amp; Numbers Technical Conformance Technical Conformance Bring our minimum technical criteria for

624 views • 23 slides
Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53,

Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53,

Evolving the Root Zone technical checks Kim Davies Director, Technical Services ICANN 53, Buenos Aires, Argentina The basics ICANN conducts a set of technical checks for each zone change (e.g. root zone) These are repeated at

446 views • 23 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Donald Friedman Susie Bozzini Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries occur in pre roll crash events, limiting the likelihood that ESC will be as effective as predicted, emphasizing occupant

757 views • 62 slides
Text Text #ICANN51 15 October 2014 Text Text IDN Root Zone LGR Sarmad Hussain IDN Program

Text Text #ICANN51 15 October 2014 Text Text IDN Root Zone LGR Sarmad Hussain IDN Program

Text Text #ICANN51 15 October 2014 Text Text IDN Root Zone LGR Sarmad Hussain IDN Program Senior Manager #ICANN51 Agenda Text Text Introduction Sarmad Hussain Need, Limitations and Mechanisms for the Root Zone LGR Marc

817 views • 65 slides
IDN Root Zone LGR Workshop ICANN 52 | 11 January 2015 Agenda Introduction Sarmad

IDN Root Zone LGR Workshop ICANN 52 | 11 January 2015 Agenda Introduction Sarmad

IDN Root Zone LGR Workshop ICANN 52 | 11 January 2015 Agenda Introduction Sarmad Hussain Integration Panel Discussion Guidelines for LGR Development Wil Tan How to Design

1.31k views • 72 slides
The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land Commissioner Rollover Pass, Galveston County Project Site Rollover Pass, Galveston County GIWW Rollover Pass Rollover Pass, Galveston County History:

231 views • 10 slides
ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O

ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O

ATLAS Update : I/O Developments Peter van Gemmeren (ANL) ROOT I/O Workshop, #3 ATLAS use of ROOT TTreeCache ATLAS stores most of its data in ROOT TTrees. RDO, ESD,

221 views • 7 slides
Root Zone KSK: A fu er ICANN 53 Edward Lewis | ICANN 53 | June2015 edward.lewis@icann.org

Root Zone KSK: A fu er ICANN 53 Edward Lewis | ICANN 53 | June2015 edward.lewis@icann.org

Root Zone KSK: A fu er ICANN 53 Edward Lewis | ICANN 53 | June2015 edward.lewis@icann.org Agenda Setting the scene Change of Hardware Security Modules (HSMs) Roll (change) the Key Signing Key (KSK) The big finish | 2

272 views • 15 slides
Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side

Passenger Vehicle Occupant Fatalities by type of crash 4% 2% Rollover 33% 23% Front Side Rear Other 39% N=32,335 Source: 2002 FARS Side-impact Crashes (non-rollover) by Crash Partner Passenger Cars Other 19% 21% Narrow Objects

708 views • 4 slides
The Unicorn Project And The Five Ideals Session ID: @RealGeneKim

The Unicorn Project And The Five Ideals Session ID: @RealGeneKim

The Unicorn Project And The Five Ideals Session ID: @RealGeneKim My Definition of DevOps The architecture, technical practices, and cultural norms that enable us to increase our ability to deliver

1.48k views • 104 slides
Problem sets Dr Andreas Krause Instructions These three problem sets are representative of

Problem sets Dr Andreas Krause Instructions These three problem sets are representative of

BSc (Hons) Economics BSc (Hons) Economics and Politics BSc (Hons) Economics and International Development Department of Economics ES30089 Economics of Banking Problem sets Dr Andreas Krause Instructions These three problem sets are

107 views • 6 slides
On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan

On the Security of Carrier Phase-based Ranging Hildur Olafsdottir, Aanjhan Ranganathan, Srdjan Capkun Importance of Secure Proximity Verification Aanjhan Ranganathan On the Security of Carrier Phase-based Ranging 2 Importance of Secure

807 views • 52 slides
COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per

COVID-19 Preparedness CARES Act Provisions 1 Stimulus Checks = Cash Now Maximum of $1,200 per adult and $500 per dependent child under age 17 Advanced credit determined based on 2019 return if it has been filed If 2019 return has

89 views • 5 slides
Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c

Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c

11/9/2007 Pro je c t 2A FIT100 FIT100 FIT100 FIT100 FIT100 FIT100 Write a pla nning do c ume nt Pro je c t 2A.2: L ist pro je c t re q uire me nts Pla nning Do c ume nt Pla nning Do c ume nt Sho w PE Sho w PE RT RT c

280 views • 3 slides
Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To

STATE TEACHERS RETIREMENT SYSTEM OF OHIO Employer Basics 101: Purchasing Service Credit and Leaves of Absence EMPLOYER EDUCATION Employer Basics 101: Purchasing Service Credit and Leaves of Absence 50-403, 9/20/E How To Use GoToWebinar

265 views • 9 slides
Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An

Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An

Webinar: Unclaimed money, lost member and inactive low- balance account reporting obligations An information session for Superannuation Funds Trustees and Administrators Webinar: Unclaimed money, lost member and inactive low-balance account

513 views • 28 slides

More recommend