2017 dnssec ksk rollover
play

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 - PowerPoint PPT Presentation

Dec 26, 2022 •343 likes •720 views

2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017 Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information

  1. 2017 DNSSEC KSK Rollover Guillermo Cicileo | LACNIC | March 22, 2017

  2. Purpose of this Talk 1 2 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK information | 2

  3. The Root Zone DNSSEC KSK ¤ The Root Zone DNSSEC Key KSK Signing Key “ KSK ” is the top most cryptographic key in the DNSSEC hierarchy ¤ Public portion of the KSK is configuration parameter in DNS validating revolvers DATA | 3

  4. Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017 | 4

  5. Important Milestones Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication Now, onwards In-band ( Automated Updates ) Publication July 11, 2017 and onwards Sign (Production Use) October 11, 2017 and onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 from systems Dates TBD, 2018 | 5

  6. Recognizing KSK-2017 ¤ The KSK-2017’s Key Tag is 20326 ¤ The Delegation Signer (DS) Resource Record for KSK-2017 is . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D "Root" Note: liberties taken with formatting for presentation purposes | 6

  7. KSK-2017 in a DNSKEY Resource Record ¤ The DNSKEY resource record will be: . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" Note: liberties taken with formatting for presentation purposes | 7

  8. Why are there DS and DNSKEY forms of KSK-2017? ¤ Tools that you will use to manage DNSSEC trust anchor configurations work on either the DS form, the DNSKEY form or both ¤ For each tool there are historical reasons ¤ The DS record contains a hash of KSK-2017 ¤ The DNSKEY record contains the public key of KSK-2017 ¤ Consult your tool’s documentation to know which is appropriate | 8

  9. Current "State of the System" ¤ Sunny, as in “sunny day scenario” ¤ We are changing the KSK under good conditions ¤ Leverage trust in KSK-2010 to distribute KSK-2017 ¤ Recommended course of action – rely on RFC 5011’s Automated Updates of DNSSEC Trust Anchors protocol ¤ Why mention this? ¤ Alternative to Automated Updates is bootstrapping (or establishing an initial state of trust in) a trust anchor ¤ That would be necessary in stormy (emergency) conditions | 9

  10. Automated Updates of DNSSEC Trust Anchors ¤ Defined in RFC 5011 ¤ Use the current trust anchor(s) to learn new ¤ To allow for unattended DNSSEC validator operations ¤ Based on "time" – if a new one appears and no one complains for some specified time, it can be trusted ¤ Defined "add hold" time is 30 days | 10

  11. Automated Updates timetable KSK-2017 KSK-2017 KSK-2017 appears starts should be in DNS signing trusted | 11

  12. Important dates when following Automated Updates ¤ On 11 July 2017 ¤ KSK-2017's DNSKEY record will appear in the DNS root key set ¤ Tools following RFC 5011 will start counting days ¤ After 11 August 2017 (give or take a day) ¤ Your tool should see KSK-2017 in its trust anchor database ¤ If not, debugging is needed, you have a few weeks to fix ¤ (Don't panic if it it's not immediate, remember time zone, etc.) ¤ On 11 October 2017 ¤ KSK-2017 goes "live," validation ought to be confirmed | 12

  13. What if KSK-2017 isn't trusted on August 11, 2017? ¤ Don't Panic! ¤ There are nearly two months to examine why, fix, and test before KSK-2017 "goes live" ¤ Begin to investigate early but there is no need to rush a fix ¤ Resources to consult are listed later in the slides | 13

  14. Why is Automatic Updates in use? ¤ Many DNSSEC validation tools have RFC 5011 support built-in ¤ The support needs to be configured properly, consult your administrator guide ¤ All in all, nothing an operator can't handle ¤ You can choose to "do it the hard way" ¤ You do have options ¤ ICANN is publishing KSK-2017 in different ways to help | 14

  15. Preferred Approach ¤ Mindful that the choice is a matter of local policy ¤ DNSSEC validation is for the benefit of the receiver ¤ Not all operational environments are the same, not all validating tools implement Automated Updates ¤ ICANN is doing its best to accommodate different approaches ¤ Automated Updates is likely the preferred approach ¤ Relies only on what has been trusted before ¤ It's the most reliable/stable approach, simplest basis for trust | 15

  16. Establishing Trust in KSK-2017 Automatically ¤ If you are DNSSEC validating with KSK-2010 ¤ You can simply follow Automated Updates of DNSSEC Trust Anchors by configuring your tool of choice to do so | 16

  17. Establishing Trust in KSK-2017 Manually ¤ Via the official IANA trust anchor XML file at https:// data.iana.org/root-anchors/root-anchors.xml ¤ Contains the same information as a DS record for KSK-2017 ¤ Validate root-anchors.xml with the detached signature at https:// data.iana.org/root-anchors/root-anchors.p7s ¤ Via DNS (i.e., ask a root server for “./IN/DNSKEY”) ¤ Validate the KSK-2017 by comparison with other trusted copies ¤ Via “Other means” ... | 17

  18. What “other means” for a manual approach? ¤ Most software/OS distributions of DNSSEC ¤ Embed copies of the KSK (now KSK-2010, later KSK-2017) ¤ In contact with as many distributors as possible ¤ Compare with the key from these slides ¤ If you trust the presentation copy you've seen here ¤ Obtain a copy from another operator, or other trusted source ¤ How well do you trust "them"? ¤ Perhaps it will be on a trinket too ¤ Not promising one, but... | 18

  19. Call to Action ¤ All the work is for operators, developers and distributors of software that performs DNSSEC validation – keep reading/listening! ¤ What if you’re not one of them? What if you’re an Internet user? ¤ Be aware that the root KSK rollover is happening on 11 October 2017 ¤ Do you know a DNS operator, software developer or software distributor? ¤ Ask them if they know about the root KSK rollover and if they’re ready ¤ Direct them to ICANN’s educational and information resources | 19

  20. What does an operator need to do? ¤ Be aware whether DNSSEC is enabled in your servers ¤ Be aware of how trust is evaluated in your operations ¤ Test/verify your set ups ¤ Inspect configuration files, are they (also) up to date? ¤ If DNSSEC validation is enabled or planned in your system ¤ Have a plan for participating in the KSK rollover ¤ Know the dates, know the symptoms, solutions | 20

  21. DNSSEC validation-enabled tools ¤ ISC's BIND ¤ CZnic's Knot Resolver ¤ NLnet Lab's Unbound ¤ DNSMASQ ¤ Microsoft Windows ¤ Secure64 DNS Cache ¤ Nominum Vantio ¤ PowerDNS Recursor | 21

  22. A Special Note About ISC's BIND ¤ Blog post from ISC https://www.isc.org/blogs/2017-root-key-rollover-what-does-it- mean-for-bind-users/ ¤ Unique to BIND ¤ Because of BIND's long DNSSEC history, some "named.conf" files may have to be updated despite tech-refresh of BIND versions ¤ Notably, the introduction of managed-keys in February 2010 , (ISC's version 9.7) an update to trusted-keys ¤ I.e., Check pre-February 2010 configurations! | 22

  23. Notes on Microsoft Server ¤ Extensive Documentation ¤ DNSSEC and Windows: Get Ready, 'Cause Here It Comes! (2010) https://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/ WSV333 ¤ DNSSEC in Windows Server 2012 (updated 2014) https://technet.microsoft.com/library/dn593694 | 23

  24. Information About Other Tools ¤ Unbound https://schd.ws/hosted_files/icann572016/49/Jaap-Akkerhuis-Unbound- KSK-rollover.pdf ¤ PowerDNS https://doc.powerdns.com/md/recursor/dnssec/#trust-anchor-management ¤ Knot Resolver https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec ¤ DNSMASQ http://www.thekelleys.org.uk/dnsmasq/CHANGELOG (see v2.69 notes) | 24

  25. Symptoms of a Problem Related to the Rollover ¤ Problems caused by IPv6 fragmentation-related issues ¤ DNSSEC validation fails for everything, resulting from an inability to get the Root Zone DNSKEY set with KSK-2017 ¤ Look for a large number of queries leaving a recursive server "retrying" the question ¤ Problems caused by using the wrong trust anchor ¤ DNSSEC validation fails for everything, resulting from an inability to build a chain of trust ¤ Look in logs for check failures, implementation specific | 25

  26. Fragmentation, IPv6 and DNS ¤ Fragmentation in IPv6 ¤ Fragments created at source, reassembled at destination ¤ Unlike IPv4, fragmentation not done in network ¤ Instead a notice is sent back to source ¤ IPv6's fragmentation feedback does not help DNS' use of UDP ¤ No recollection (memory) of what was sent, can't resend ¤ Answers can "not arrive" for other reasons, analyzing this thoroughly needs to be done from the source and destination | 26

Recommend

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this

2017 DNSSEC KSK Rollover Carlos Martnez | LACNIC | LACNIC 27, Foz Do Iguass Purpose of this Talk 2 1 3 Provide status, Provide helpful To publicize the upcoming events, resources on new Root Zone and contact the KSK roll DNSSEC KSK

384 views • 21 slides
KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK

KSK Rollover Update David Conrad, CTO ICANN 59 ccNSO Members Meeting 26 June 2017 | 1 KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root

558 views • 13 slides
Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides

Student Rollover 1 Student Rollover 1896 2 Student Rollover 1. much easier to use, 2. Provides a superior product, and 3. much less expensive 3 Student Rollover So, Im wondering why are we still using these? NEW SLIDE 1. Hard to use,

734 views • 22 slides
Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries

Donald Friedman Susie Bozzini Jordan Rollover System Rollover frequency and AIS 3+ Injury As much as 40% of these injuries occur in pre roll crash events, limiting the likelihood that ESC will be as effective as predicted, emphasizing occupant

757 views • 62 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN

Root Zone KSK Rollover update Roy Arends Principal Research Scientist, Office of the CTO, ICANN FOSDEM 2019 3 February 2019 | 1 The KSK rollover has happened! The KSK rollover occurred on time as planned at 1600 UTC on 11 October 2018

434 views • 24 slides
The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land

The Proposed Closure of Rollover Pass Texas General Land Office Jerry Patterson, Land Commissioner Rollover Pass, Galveston County Project Site Rollover Pass, Galveston County GIWW Rollover Pass Rollover Pass, Galveston County History:

231 views • 10 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went

MTI Rollover Presentation What Happened? Driver was loaded and inbound to Frac Driver went off the edge of the road No injuries What was spilled? Fuel Engine oil Contributing Factors to Rollover Poor visibility Dark

75 views • 5 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff

Key Rollover for the RPKI Steve Kent (Channeling Geoff Huston ) Key Rollover Document New doc: draC-huston-sidr-aao-profile-0-

494 views • 14 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The

Fire Occurrence in Rollover Crashes Based on NASS/CDS Kennerly Digges and Shaun Kildare The George Washington University SAE Paper 2007-01-0875 Research Questions What rollover crash factors influence the fire rate? Vehicle class

741 views • 35 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of

QMS Shareholders (other than the Rollover Shareholders) will receive total cash consideration of $1.22 per QMS share held on the Scheme Record Date. Rollover Shareholders will receive a mixture of consideration of cash and shares in Shelley

402 views • 7 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides

More recommend