Root KSK Roll Delay Update

Similar documents
Root KSK Roll Delay Update

Root KSK Roll Update Webinar

Root KSK Rollover Update (or, We're really doing it this time)

Security and Stability Advisory Committee!! Activities Update! ICANN Los Angeles Meeting! October 2014! #ICANN51

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Internet Corporation for Assigned Names & Numbers - Internet Assigned Numbers Authority Update

RDAP Implementation. Francisco Arias & Gustavo Lozano 21 October 2015

Draft Applicant Guidebook, v3

The IDN Variant TLD Program: Updated Program Plan 23 August 2012

Rolling the Root. Geoff Huston APNIC Labs March 2016

RSSAC Activities Update. Lars Johan Liman and Tripti Sinha RSSAC Chair ICANN-54 October 2015

ICANN PacNOG 11

President s Report 2009

DNSSEC KSK-2010 Trust Anchor Signal Analysis

Name Collision Occurrence Management Framework

Root Zone DNSSEC KSK Rollover

ICANN Board Status Advice Report Advice Item Status As of 30 Nov 2017

Security & Stability Advisory Committee. Update of Activities

General Data Protection Regulation (GDPR)

Rolling the Root Zone KSK. Matt Larson ICANN56 (Helsinki ) June 2016

IANA ccnso Update Kim Davies ICANN 55, 8 March 2016

Draft Applicant Guidebook, v4

SSR REVIEW IMPLEMENTATION REPORT (Public) *DRAFT*

DNSSEC for the Root Zone. ICANN 37 Nairobi March 2010

ICANN STRATEGIC PLAN JULY 2011 JUNE 2014

Second Security, Stability, and Resiliency of the Domain Name System Review Team (SSR2) ICANN60 October 2017

DNS and ICANN. Laurent Ferrali. 27th August 2018

That KSK Roll. Geoff Huston APNIC Labs

ICANN and the IANA. Elsa Saade and Fahd Batayneh MEAC-SIG August 2016

ICANN Policy Update & KSK Rollover

Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson

Intellectual Property Constituency (IPC)

It Internationalized ti Domain Names W3C Track: An International Web

Update on IANA Seoul, Republic of Korea October 2009

Internet Governance Shaped by all Stakeholders

gtld Applicant Guidebook (v ) Module 5

DNSSEC for the Root Zone. IETF 76 8 November 2009

One possible roadmap for IANA evolution

ICANN SSR Update. Save Vocea PacNOG17 Samoa 13 July 2015

RIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.

Internationalized Domain Names

SME License Order Working Group Update - Webinar #3 Call in number:

Summary of the Impact of Root Zone Scaling

Internationalized Domain Names. Tina Dam, Director, IDN Program 3 March 2009

DNS Risk Framework Update

TLD-OPS Standing Committee Meeting cctld Security and Stability Together

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Strategic Plan Consulta1on

What we did last OARC. Keith Mitchell DNS-OARC RIPE77 DNS WG Amsterdam, Oct 2018

ccnso activity overview (work plan) Monthly overview Version: August 2016

IANA Stewardship Transition & Enhancing ICANN Accountability

ICANN Report. Presented by: Dr Paul Twomey CEO and President. Reston, Va ARIN XIV 20 October 2004

Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover

Post Transition IANA model Draft

One World. One Internet.

WHOIS Review Team Internationalized Registration Data Expert Working Group. Margie Milam ICANN October 2015

DNS Security and DNSSEC in the root zone Luzern, Switzerland February 2010

Cross Community Working Group (CWG) To Develop An IANA Stewardship Proposal. On Naming Related Functions. Discussion Document for ICANN52 Singapore

DNSSEC for the Root Zone. IETF 76 Hiroshima November 2009

Universal Acceptance

Afilias DNSSEC Practice Statement (DPS) Version

Replacing the WHOIS protocol. Tech Day Boungainvillea room 12 March 2012, 16:40-16:55

IANA Stewardship Transition & Enhancing ICANN Accountability. Andrea Beccalli DNS.PT Events May 12

July 13, Via to RE: International Internet Policy Priorities [Docket No ]

2017 DNSSEC KSK Rollover. DSSEC KSK Rollover

ICANN and Academia. Fahd Batayneh Manager, Global Stakeholder Engagement, Middle East. December 2017

Rights Protection Mechanisms: User Feedback Session

Draft Implementation Plan for IDN cctld Fast Track Process

(Further) Dispatches from the DNS Frontier. Keith Mitchell DNS-OARC NANOG71 San Jose, Oct 2017

Internet Engineering Task Force. Intended Status: Informational. Additional Reserved Top Level Domains draft-chapin-additional-reserved-tlds-00

November 2010 PLAN FOR ENHANCING INTERNET SECURITY, STABILITY, AND RESILIENCY (FY 11)

ICANN 48 NEWCOMER SESSION

Deploying the IETF s WHOIS Protocol Replacement

2017 DNSSEC KSK Rollover. Guillermo Cicileo LACNIC March 22, 2017

ICANN Update at PacNOG15

ICANN and Russia. Dr. Paul Twomey President and CEO. 10 June International Economic Forum St. Petersburg, Russia

Name Collision Mitigation Update

RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager

Transition Implementation Status Reporting. 31 March 2016

Transition Implementation Status Reporting. 12 August 2016

APNIC Update. APTLD Meeting

RDAP Implementation. 7 March 2016 Francisco Arias & Gustavo Lozano ICANN 55 7 March 2016

.BIZ Agreement Appendix 10 Service Level Agreement (SLA) (22 August 2013)

DNS Abuse Handling. FIRST TC Noumea New Caledonia. Champika Wijayatunga Regional Security, Stability and Resiliency Engagement Manager Asia Pacific

DNSSEC for the Root Zone. NZNOG Hamilton, NZ January 2010

ONE WORLD, ONE INTERNET

IANA Stewardship Transition Coordination Group (ICG)!! October 2014! ianacg.org!!!

Open Mee'ng of the Security & Stability Advisory Commi=ee. 26 October 2009

ICANN Overview & Global and Strategic Partnerships

Registrar Session ICANN Contractual Compliance

Overview & Update. Manager, Regional Relations Middle East. Internet Festival Hammamet, Tunis August 2008

An Amsterdam Update. RIPE Network Coordination Centre. Nick Hyrka. APNIC 25, 29 April 2008, Taiwan 1. ArtistServer.

ICANN & Global Partnerships

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

BCI Principles & Criteria: Revision

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Internationalized Domain Names. 21 June 2009 Tina Dam Sr. Director, IDNs

ICANN Start, Episode 1: Redirection and Wildcarding. Welcome to ICANN Start. This is the show about one issue, five questions:

Internationalized Domain Names New gtld Program

Draft Thick RDDS (Whois) Consensus Policy and Implementation Notes

Transcription:

Root KSK Roll Delay Update PacNOG 21 Patrick Jones, Sr. Director, Global Stakeholder Engagement 4 December 2017 1

Background When you validate DNSSEC signed DNS records, you need a Trust Anchor. A Trust Anchor is a Public Key. Public Keys should not live forever. These Trust Anchors probably should be periodically renewed (rolled). You can do this automatically or manually. However, there was no way for us (ICANN) to check if you have the right key configured. Therefore, a multi-year design and outreach effort ensued: Design-team, blogs, outreach, presentations in various venues, plans, vendors and governments were contacted, etc., etc. 2

The Process 11 July 2017: Introduce the new KSK-2017. Monitor if there are fundamental changes in root-server traffic If not, continue, else fall back. 10 August 2017: 30 day hold-down period ends Monitor if there are fundamental changes in root-server traffic. If not, continue, else fall back. 19 September 2017: DNSKEY Response size increased due to standard ZSK roll Monitor if there are fundamental changes in root-server traffic. If not, continue, else fall back. 3

The timeline in a graph 100 Root Zone Key Tag Signaling TA Update Evidence 80 Percent of Signalers 60 40 KSK 2017 Published RFC5011 Hold Down Timer Ends KSK 2017 Rollover 20 0 May Jun Jul Aug Sep Oct 2010 2010+2017 2017 Verisign Public 17 4

Who has KSK-2017 configured as a trust anchor? Until very recently, there was no way to know which trust anchors validators have configured Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC) is a recent protocol extension that can provide that information Reports trust anchor key tags via EDNS option or DNS query Published as RFC 8145 (April 2017) Implementations BIND 9.11 starting with 9.11.0b3 (28 July 2016) BIND 9.10 starting with 9.10.5b1 (11 January 2017) Unbound 1.6.4 (27 June 2017) On by default in BIND (since 28 July 2016) and in Unbound since version 1.6.7 (10 October 2017) No other known implementations 5

Looking for key tag signaling RFC 8145 is so new and validator support so limited that the root KSK roll project team did not expect to get enough data to help with the first root KSK Roll. On average, there are 4.2 Million unique addresses sending queries to root-servers. Given typical deployment curves, it was assumed the dataset would be too small to statistically represent all validating resolvers. However Before the introduction of KSK-2017, RFC8145-able resolvers would send KSK-2010 only. After the hold down period of 30 days, RFC8145-able resolvers would send both KSK-2010 and KSK-2017. Duane Wessels (Verisign, co-author of 8145) started looking at A & J root traffic for this signaling 6

Hey! There s data! Wait. What? 100 Root Zone Key Tag Signaling TA Update Evidence 80 Percent of Signalers 60 40 KSK 2017 Published RFC5011 Hold Down Timer Ends KSK 2017 Rollover 20 0 May Jun Jul Aug Sep Oct 2010 2010+2017 2017 Verisign Public 17 7

Further analysis by OCTO Research ICANN OCTO Research did an analysis similar to Duane s Analyzed query data from B, D, F and L root servers For the entire month of September and October (until the 24 th ) Results: Total number of unique addresses reporting key tag data: 27,084 (out of 4.2 million, 0.57%) Total number that only ever reports KSK-2010: 1631 6.02% of reporting validators were not ready for the KSK roll on 11 October 2017 Non-zero percentage of reporting validators were announcing only KSK-2017 (?!) Analysis is complicated Dynamic resolver IPs make the situation look worse by inflating true number of sources Resolvers behind forwarders make the situation look better as they obscure multiple validators behind the forwarder 8

Why do validators report just KSK-2010? Multiple reasons suspected or confirmed: 1. BIND reports trust anchors even if not validating 2. Old configurations pre-dating automatic update support E.g., BIND s trusted-keys instead of managed-keys or dnssec-validation auto 3. Bugs in automatic update or key tag signaling support E.g., announce key tags even if DNSSEC not enabled (DO=0) 4. Operator error E.g., Docker container keeps booting up with only KSK-2010 and starts 5011 all over again We always knew old configurations would be an issue but never had objective data until now We worried bugs and operator error were possible but didn t have evidence until now Analysis is ongoing Hired a contractor to try to figure out reasons for misconfiguration 9

Back to the plan and process 19 September 2017: DNSKEY Response size increased due to standard ZSK roll Monitor if there are fundamental changes in root-server traffic. If not, continue, else fall back. We had received Verisign s report and corroborated it with our own data. From the Operational Plan: The Root Zone Management Partners might also decide to extend any phase for additional quarters. For example, if new information indicates that the next phase may lead to complications, the current phase would be prolonged. This is referred to as an extend scenario. 27 September 2017: Extend scenario kicks in ICANN Announces that the root KSK Rollover is delayed 10

Issues We do not know how representative the set of validators reporting key tag data is compared to the set of all validators Validators!= end users (or end systems ), and the impact on end users is what is most important The design team recognized this Determining number of end users/systems for a given resolver is hard APNIC s Google Ad experiment platform-based data will help Mitigation is hard We ve already had a multi-year campaign to reach operators Implementation-specific problems don t make the problem easier 11

Next Steps We postponed the root KSK roll until we can gather more information and understand the situation better The delay will be at least one quarter We have not yet determined how many quarters to delay We will at least partially mitigate Contractor hired to try to track down the 500 resolvers based on IP addresses and understand why misconfiguration is occurring Data collection continues We ll need to re-engage/re-tune the communications plan Maybe PLEASE DO NOT REMOVE KSK-2017!!? 12

SSAC Update & Advice on Emoji Domain Names 13

Security and Stability Advisory Committee (SSAC) Who We Are What We Do 37 Members Appointed by the ICANN Board What is Our Expertise Addressing and Routing Domain Name System (DNS) DNS Security Extensions (DNSSEC) Domain Registry/Registrar Operations DNS Abuse & Cybercrime Internationalization (Domain Names and Data) Internet Service/Access Provider ICANN Policy and Operations REPORT S Charter: Advise the ICANN community and Board on matters relating to the security and integrity of the Internet s naming and address allocation systems. How We Advise 98 Publications since 2002 ADVISORIES COMMENT S OUTREACH 14

Security and Stability Advisory Committee (SSAC) ICANN s Mission & Commitments To ensure the stable and secure operation of the Internet's unique identifier systems. Preserving and enhancing the operational stability, reliability, security and global interoperability, resilience, and openness of the DNS and the Internet. SSAC Publication Process Form Work Party Research and Writing Consideration of SSAC Advice (to the ICANN Board) SSAC Submits Advice to ICANN Board Board Acknowledges & Studies the Advice Board Takes Formal Action on the Advice 1. Policy Development Process 3. Dissemination of Advice to Affected Parties Publish Review and Approve 2. Staff Implementation with Public Consultation 4. Chose different solutions (explain why advice is not followed) 15

Security and Stability Advisory Committee (SSAC) Publication Current Work Process Parties Management of the Namespace and Name Collisions IDN Harmonization SSAC Organizational Review WHOIS Rate Limiting Internet of Things DNSSEC Workshops (Ongoing) Membership Committee (Ongoing) Recent Publications [SAC098]: The Security, Stability, and Resiliency of the DNS Review (SSR2) (04 October 2017) [SAC097]: SSAC Advisory Regarding the Centralized Zone Data Service (CZDS) and Registry Operator Monthly Activity Reports (14 June 2017) [SAC096]: SSAC Comment on the CCWG-Accountability- WS2 Draft Framework of Interpretation for Human Rights (30 May 2017) [SAC095]: SSAC Advisory on the Use of Emoji in Domain Names (25 May 2017) Outreach ssac.icann.org and SSAC Intro: www.icann.org/news/multimedia/621 www.facebook.com/pages/ssac/432173130235645 SAC067 SSAC Advisory on Maintaining the Security and Stability of the IANA Functions Through the Stewardship Transition and SAC068 SSAC Report on the IANA Functions Contract: www.icann.org/news/multimedia/729 16

SAC 95 Advisory on Use of Emoji in Domains SSAC advice adopted by ICANN Board 2 Nov 2017 SSAC strongly recommends that emoji not be included in TLD labels or at any level in a domain name Emoji are symbols in Unicode, which are disallowed in IDNA 2008 17

SAC 95 Advisory on Use of Emoji in Domains Emoji are not designed to be visually uniform or visually distinguishable. Confusability issue for users and poses problems with universal acceptance of domain names. Users can have accessibility problems due to inconsistent rendering. 18

SAC 95 Advisory on Use of Emoji in Domains ICANN Board is requesting the ccnso and GNSO integrate conformance with IDNA 2008 into policies so as to safeguard security, stability, resiliency & interoperability of domain names. Emoji domains are currently being offered by 1 cctld in this region -.ws 19

Topics of Interest/Possible New Work Signing root NS Sets Analysis Are We Ready for an IPv6-Only Internet? Analysis of WannaCry/Conficker Challenges of Hosting Large Domain Portfolios Proposal for.internal SSAC Publication Review SSAC Skills Survey "Emerging Security Issues" Sessions at ICANN meetings 20

Engage with ICANN Thank You and Questions Visit us at icann.org 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback