Your SlideShare is downloading. ×
  • Like
ITAR experiences
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ITAR experiences

  • 371 views
Published

 

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
371
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ITAR Technical Overview Seoul, Republic of Korea October 2009 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers
  • 2. Interim Trust Anchor Repository ‣ Dissemination mechanism for TLD trust anchors ‣ Uses the same trust relationships used for managing the root zone ‣ Does not impact the root zone, requires specific configuration by DNS users who want to use the service ‣ Designed to be an interim step to enable early DNSSEC deployment prior to a signed root zone
  • 3. Scoping the project ‣ RIPE community was a principle driver for launching this service — specified a number of design requirements ‣ We spoke with a number of TLD operators on how they would like to use the service ‣ Not a service in the IANA contract so did not carry any design requirements relating to that
  • 4. Design decisions ‣ Simple as possible ‣ As fully automated as possible ‣ Strict technical criteria ‣ One check for DNSKEY, but mandatory
  • 5. How it was developed ‣ Django web framework ‣ Two instances ‣ Public facing instance (web, rsync) ‣ Internal management instance (web) ‣ Single external data dependency ‣ Synching with IANA root zone database application to obtain list of valid TLDs, and details for domain contacts ‣ Otherwise entirely self-contained
  • 6. Data model ‣ Three database models ‣ Trust Anchor — a trust anchor with its properties ‣ Change Request — an instruction to add or revoke a TA ‣ Domain — a domain with its contact properties
  • 7. Workflow STATES
=
( 



(STATE_INACTIVE,
'Inactive'), 1 



(STATE_NEEDSCONFIRM,
'Needs
Confirmation'), 2 



(STATE_NEEDSREVIEW,
'Needs
Review'), 3 



(STATE_NEEDSKEY,
'Needs
Key
in
DNS'), { 



(STATE_COMPLETED,
'Completed'), terminal 



(STATE_REJECTED,
'Rejected'), states 



(STATE_WITHDRAWN,
'Withdrawn'), 



(STATE_ADMINCLOSED,
'Administratively
Closed'), 



(STATE_EXCEPTION,
'Exception'), )
  • 8. Email templates ‐rw‐r‐‐r‐‐@

1
kim

staff


562
25
Dec

2008
add_request_completed.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


747
25
Dec

2008
adminclose_ianacheck.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


780
25
Dec

2008
adminclose_lackconfirms.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


747
25
Dec

2008
adminclose_nokey.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


917
24
Dec

2008
anchor_now_active.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


766
24
Dec

2008
anchor_now_expired.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


840
25
Dec

2008
dnskey_gone_missing.txt ‐rw‐r‐‐r‐‐@

1
kim

staff

1171
25
Dec

2008
email_confirm_needed.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


849
14
Jan

2009
ianacheck_needed.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


626
25
Dec

2008
rejected.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


941
17
Apr

2009
reminder_dnskey_missing.txt ‐rw‐r‐‐r‐‐@

1
kim

staff


763
24
Dec

2008
revoke_request_completed.txt
  • 9. Web Templates ‐rw‐r‐‐r‐‐@

1
kim

staff


509
13
Feb

2009
404.html ‐rw‐r‐‐r‐‐@

1
kim

staff


708
13
Feb

2009
500.html ‐rw‐r‐‐r‐‐@

1
kim

staff


833
13
Feb

2009
add_anchor_accepted.html ‐rw‐r‐‐r‐‐@

1
kim

staff

6404
13
Feb

2009
add_anchor_form.html ‐rw‐r‐‐r‐‐@

1
kim

staff

1486
13
Feb

2009
anchor_view.html ‐rw‐r‐‐r‐‐@

1
kim

staff


526
16
Jan

2009
anchor_view_expired.html ‐rw‐r‐‐r‐‐@

1
kim

staff


589
16
Jan

2009
anchor_view_revoked.html ‐rw‐r‐‐r‐‐@

1
kim

staff


159
13
Jan

2009
base.html ‐rw‐r‐‐r‐‐@

1
kim

staff

2900
13
Jan

2009
base_master,v1.html ‐rw‐r‐‐r‐‐@

1
kim

staff

5611
18
Feb

2009
base_master.html ‐rw‐r‐‐r‐‐@

1
kim

staff


629
18
Feb

2009
disposition_recorded.html ‐rw‐r‐‐r‐‐@

1
kim

staff

4308
18
Feb

2009
front_page.html ‐rw‐r‐‐r‐‐@

1
kim

staff



20
22
May

2008
header.html ‐rw‐r‐‐r‐‐@

1
kim

staff

2673
18
Feb

2009
iana_check_form.html ‐rw‐r‐‐r‐‐@

1
kim

staff

3351
27
Jul
00:23
instructions.html ‐rw‐r‐‐r‐‐@

1
kim

staff


278
11
Feb

2009
invalid_token.html ‐rw‐r‐‐r‐‐@

1
kim

staff

2960
13
Feb

2009
procedures.html ‐rw‐r‐‐r‐‐@

1
kim

staff

3068
13
Feb

2009
revoke_anchor_form_step0.html ‐rw‐r‐‐r‐‐@

1
kim

staff

2820
28
Jan

2009
revoke_anchor_form_step1.html ‐rw‐r‐‐r‐‐@

1
kim

staff

3127
26
Oct

2008
revoke_anchor_form_step2.html ‐rw‐r‐‐r‐‐@

1
kim

staff

3127
26
Oct

2008
revoke_anchor_form_step3.html ‐rw‐r‐‐r‐‐@

1
kim

staff


355
16
Jan

2009
revoke_missing.html ‐rw‐r‐‐r‐‐@

1
kim

staff

2845
13
Feb

2009
take_disposition_form.html ‐rw‐r‐‐r‐‐@

1
kim

staff


373
13
Feb

2009
token_used.html ‐rw‐r‐‐r‐‐@

1
kim

staff


543
13
Feb

2009
token_wrong_state.html ‐rw‐r‐‐r‐‐@

1
kim

staff


249
11
Feb

2009
unavailable.html
  • 10. Experience ‣ Only code modifications since creation is improving a support script (anchors2keys) to held BIND users ‣ Gaining operational experience from how TLD operators use it ‣ TLD anchors expiring without providing their replacements ‣ TLDs not using the KSK/ZSK model ‣ TLDs continuing to use their anchor after effectivity period ‣ TLDs who repeatedly enter wrong data
  • 11. Future ‣ ITAR will continue to run at least until the root zone is signed ‣ When root zone is signed do consultation with community on its future
  • 12. Improvement ideas ‣ More pro-active notifications of events of interest ‣ “Your key is about to expire and you haven’t listed a replacement yet.” ‣ “You seem to have entered the wrong algorithm code, because everything else checks out. Want to change it?” ‣ Discussion on IETF DNSOP list about recommending a refresh period
  • 13. Difference from ITAR to signed root
  • 14. list TA start: 1 May end: 1 Jun IANA proc { variability Visible in ITAR 1 May 1 Jun
  • 15. list TA start: 1 May end: 1 Jun IANA proc { variability Visible in ITAR 1 May 1 Jun add TA del TA VRSN proc VRSN proc IANA proc IANA proc IANA proc IANA proc NTIA proc NTIA proc Visible in root { { variability variability 1 May 1 Jun
  • 16. DNS Root No relationship with root zone
  • 17. DNS Root No relationship with root zone
  • 18. DNS Root No relationship with root zone
  • 19. Thanks! kim.davies@icann.org