Rolling the Root Zone KSK. Matt Larson ICANN56 (Helsinki ) June 2016

Similar documents
Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis AFRINIC25 November 2016

Root KSK Rollover Update (or, We're really doing it this time)

Root Zone DNSSEC KSK Rollover

2017 Root DNSSEC KSK Rollover. NANOG 70 June 6, 2017

2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017

DNSSEC for the Root Zone. IETF 76 8 November 2009

DNSSEC for the Root Zone. IETF 76 Hiroshima November 2009

Root KSK Roll Update Webinar

DNSSEC for the Root Zone. ICANN 37 Nairobi March 2010

DNSSEC for the Root Zone. NZNOG Hamilton, NZ January 2010

Reviewing New gtld Program Safeguards Against DNS Abuse. ICANN Operations and Policy Research 28 January 2016

Root KSK Roll Delay Update

Congratulations to Registries! New generic toplevel 500+ been delegated as a result of the New gtld Program. Many more gtlds are on the way.

DNS Risk Framework Update

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

Rights Protection Mechanisms: User Feedback Session

THE BRUTAL WORLD OF DNSSEC

Rolling the Root. Geoff Huston APNIC Labs March 2016

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

RDAP Implementation. Francisco Arias & Gustavo Lozano 21 October 2015

Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover

Root KSK Roll Delay Update

Managing the Root KSK Rollover, Step by Step for Operators

RDAP Implementation. 7 March 2016 Francisco Arias & Gustavo Lozano ICANN 55 7 March 2016

ICANN and the IANA. Elsa Saade and Fahd Batayneh MEAC-SIG August 2016

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNSSEC Validators Requirements

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

KSK Roll Prepping: RFC Presented at RIPE 71 DNS WG November 19, 2015

LGR Toolset (beta) User Guide. IDN Program 24 October 2017

ICANN Policy Update & KSK Rollover

IGO/INGO Identifiers Protection Policy Implementation. Meeting with the IRT 9 March 2016

Universal Acceptance

LGR Toolset (beta) User Guide. IDN Program October 2016

Algorithm for DNSSEC Trusted Key Rollover

Tyre Kicking the DNS. Testing Transport Considerations of Rolling Roots. Geoff Huston APNIC

Deploying the IETF s WHOIS Protocol Replacement

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

ICANN SSR Update. Save Vocea PacNOG17 Samoa 13 July 2015

Name Collision Mitigation Update

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

That KSK Roll. Geoff Huston APNIC Labs

RDAP: What s Next? Francisco Arias & Marc Blanchet ICANN June 2015

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02. Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K.

DNS Fundamentals. Steve Conte ICANN60 October 2017

Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

Migrating an OpenDNSSEC signer (February 2016)

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DNSSEC KSK-2010 Trust Anchor Signal Analysis

ICANN proposal to sign the root. ICANN DNSSEC Workshop November 5, 2008, Cairo Dr. Richard Lamb

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

DNSSEC for the Root Zone. IEPG IETF 77 Anaheim, USA March 2010

DNSSECfor the Root ZoneIEPG IETF 77 Anaheim, USA March 2010

Shared cctld DNSSEC Signing Platform Bill Woodcock and Rick Lamb ICANN San Francisco March 2011

AfriNIC 14 Shared cctld DNSSEC Signing Platform June 9, 2011 Bill Woodcock Research Director Packet Clearing House

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

IANA Stewardship Transition & Enhancing ICANN Accountability

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

DNSSec Operation Manual for the.cz and e164.arpa Registers

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

CIRA DNSSEC PRACTICE STATEMENT

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

Applicability Statement: DNS Security (DNSSEC) DNSKEY Algorithm Implementation Status

Afilias DNSSEC Practice Statement (DPS) Version

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

Impact of Rolling the Root KSK. Ed Lewis NetNod October 2015

Richemont DNS Inc. DNS Practice Statement for the PANERAI Zone. Version 0.2

6 March 2012

The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net

DNS/DNSSEC and Domain Transfers: Are they compa:ble? Olafur Gudmundsson Steve Crocker Shinkuro inc.

5 DNS Security Extensions DNSSEC

SSAC Advisory on DNSSEC Key Rollover in the Root

ICANN DNSSEC Workshop Comcast s Operational Experiences 14 March 2012

Packet Traces from a Simulated Signed Root

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Signing the Root. MENOG 7 Istanbul, Turkey October 2010

Expires: August 1998 February DNS Operational Security Considerations Status of This Document

President s Report 2009

Update on IANA Seoul, Republic of Korea October 2009

Assessing and Improving the Quality of DNSSEC

DS TTL shortening experience in.jp

Security and Stability Advisory Committee!! Activities Update! ICANN Los Angeles Meeting! October 2014! #ICANN51

DNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Subject: SAC073: SSAC Comments on Root Zone Key Signing Key Rollover Plan - Design Teams Draft Report

Documentation. Name Server Predelegation Check

Network Working Group. Category: Informational SPARTA, Inc. S. Crocker Shinkuro Inc. S. Krishnaswamy SPARTA, Inc. August 2007

Update on ICANN Domain Name Registrant Work

IPv6 How-To for a Registry 17th CENTR Technical Workshop

Towards a Process Flow. for. DNS Root Zone File Signature. with. KSK Rollover Provisions

APRICOT 2012 New Delhi, India February 21 - March 2

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

Summary of the Impact of Root Zone Scaling

IDN Program Update to ccnso. Sarmad Hussain IDN Program Sr. Manager 10 Feb. 2015

DNSSEC Policy and Practice Statement. Anne-Marie Eklund Löwinder Quality and Security Manager

SecSpider: Distributed DNSSEC Monitoring and Key Learning

ICANN PacNOG 11

Transcription:

Rolling the Root Zone KSK Matt Larson ICANN56 (Helsinki ) June 2016 matt.larson@icann.org 1

DNSSEC in the Root Zone Managed Jointly ICANN (IANA Functions Operator) Manages the KSK, same key since operations began in 2010 Quarterly the KSK signs the ZSK in a key ceremony Verisign (Root Zone Maintainer) Manages the ZSK, key changed quarterly The root DNSKEY RRset is managed in 10-day slots In coordination with US DoC NTIA per agreements 2

Activities Underway ZSK size increasing Activity managed by Verisign, covered elsewhere This activity will happen before... KSK changing ( rolling ) Separate but coordinated activities 3

Why Change the KSK? Primary reason: operational preparedness KSK has no expiration date Currently no weakness But no key should live forever: bad cryptographic practice Prefer to exercise rollover process under normal conditions As opposed to abnormal, such as key compromise Big challenge Involves countless/uncountable participants No test environment can cover all possibilities 4

Planned KSK Roll Dates Plans publically available mid-july, 2016 Key ceremonies Q4 2016 ceremony (November): generate new KSK Q1 2017 ceremony (February): KSK operationally ready DNS changes New KSK in root zone on July 11, 2017 New KSK signs DNSKEY RRset beginning October 11, 2017 Current KSK revoked on January 11, 2018 (Timing contingent on successful ZSK size increase) 5

Timeline Phase A Generation Phase B Replication Phase C First SKR Phase D Publication Phase E Rollover Phase F Revocation 2016 Q4 2017 Q1 2017 Q2 2017 Q3 2017 Q4 2018 Q1 Slot 1 9 Slot 1 9 Slot 1 9 Slot 1 Slot 2 8 Slot 9 Slot 1 Slot 2 8 Slot 9 Slot 1 Slot 2 8 Slot 9 ZSK- post-publish ZSK-q1 ZSK-q1 ZSK-q1 ZSK-q1 post-publish ZSK-q2 pre-publish ZSK-q2 ZSK-q2 ZSK-q2 ZSK-q2 post-publish ZSK-q3 pre-publish ZSK-q3 ZSK-q3 ZSK-q3 ZSK- pre-publish publish publish publish revoke+sign publish publish publish New KSK created in 1st KMF New KSK replicated to 2nd KMF First SKR with new KSK signed First packet size increase Second packet size increase Rollover Delayed revocation of 6

If Issues Arise Plan includes back-out capability If necessary, can stay in current state or roll back at every phase Until old key revoked in Q1 2018 Multiple back-out DNSKEY RRsets signed at each ceremony Back out can be immediate No need for extra key ceremony Extensive monitoring during each phase Near-real time analysis of root server traffic, observation of operational mailing lists and social media, etc. Criteria for triggering back out under development Will not be absolute but allow for operational discretion 7

Upcoming Activities Presenting the plan (July to December 2016) Informal feedback Presenting the new KSK (January to July 2017) New key will be introduced and publicized Follow Automated Updates (RFC 5011) July 11, 2017 through early 2018 8

Changing Trust Anchors Trust anchors are configured data in DNSSEC validators If Automated Updates of DNSSEC Trust Anchors (RFC 5011) is enabled and working, the roll is automatic Otherwise manual intervention required Add the new KSK before October 11, 2017 (assuming all is on track) Remove the old KSK at a later date 9

Testing Resources Resources targeted for software developers Two third-party accelerated RFC 5011 test environments with sped up clocks http://toot-servers.net http://keyroll.systems Resources more suitable for operators Real time RFC 5011 test environment being developed by ICANN Roll a test zone trust anchor with actual 30-day Add Hold- Down timer 10

For More Information Join the mailing list: o https://mm.icann.org/listinfo/ksk-rollover Follow on Twitter o o @ICANN Hashtag: #KeyRoll Visit the web page: o https://www.icann.org/kskroll 11

Engage with ICANN Thank You and Questions Reach me at: Email: matt.larson@icann.org Website: icann.org twitter.com/icann gplus.to/icann facebook.com/icannorg weibo.com/icannorg linkedin.com/company/icann flickr.com/photos/icann youtube.com/user/icannnews slideshare.net/icannpresentations 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback