Signing the Root

496 views
424 views

Published on

DNSSEC Signing the Root

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
496
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Signing the Root

  1. 1. DNSSEC for the Root Zone LACNIC XIII Curacao, Netherlands Antilles May 2010 Mehmet Akcin, ICANN Tuesday, May 18, 2010
  2. 2. This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Tuesday, May 18, 2010
  3. 3. Quick Recap • 2048-bit RSA KSK, 1024-bit RSA ZSK • Signatures with RSA/SHA-256 • Split ZSK/KSK operations • Incremental deployment • Deliberately Unvalidatable Root Zone (DURZ) • more information @ www.root-dnssec.org Tuesday, May 18, 2010
  4. 4. DURZ Deployment • The Deliberately Unvalidatable Root Zone (DURZ) deployment started on 27 January. • As of 5 May, all 13 root servers are serving the DURZ. Tuesday, May 18, 2010
  5. 5. DURZ Data Collections Pre-DURZ 2010-01-19 ✔ L 2010-01-27 ✔ A 2010-02-10 ✔ I,M 2010-03-03 ✔ D, E, K 2010-03-24 ✔ B,C,F,G,H 2010-04-14 ✔ J 2010-05-05 ✔ Tuesday, May 18, 2010
  6. 6. Tuesday, May 18, 2010
  7. 7. L-Root’s DURZ Date 01/26/10 Tuesday, May 18, 2010
  8. 8. Tuesday, May 18, 2010
  9. 9. Tuesday, May 18, 2010
  10. 10. All Roots serving DURZ Date 05/05/10 Tuesday, May 18, 2010
  11. 11. Tuesday, May 18, 2010
  12. 12. L-Root’s DURZ Date 01/26/10 Tuesday, May 18, 2010
  13. 13. All Roots serving DURZ Date 05/05/10 Tuesday, May 18, 2010
  14. 14. Tuesday, May 18, 2010
  15. 15. Tuesday, May 18, 2010
  16. 16. UDP Priming Query Rate for the previous month as of 2010 05 01 00:00:00 450 A root C root 400 D root E root 350 F root G root H root 300 Queries Per Second J root L root 250 M root 200 150 100 50 0 MAR31 APR5 APR10 APR15 APR20 APR25 APR30 Date/Time, UTC Tuesday, May 18, 2010
  17. 17. UDP Priming Query Rate for the previous month as of 2010 05 01 00:00:00 450 A root C root 400 D root E root 350 F root G root A single nameserver H root 300 instance with Queries Per Second J root max-cache-ttl=0 L root 250 M root 200 150 100 50 0 MAR31 APR5 APR10 APR15 APR20 APR25 APR30 Date/Time, UTC Tuesday, May 18, 2010
  18. 18. DS Change Requests • Approach likely to be based on existing methods for TLD managers to request changes in root zone. • Anticipate being able to accept DS requests in early June. Tuesday, May 18, 2010
  19. 19. Policy Update • Updated versions of the draft KSK and ZSK DNSSEC Practice Statements (DPS) will be published shortly. ‣ Not much has changed substantively, but please read these practice statements – answers to most questions regarding DNSSEC for the Root Zone can be found in the DPS. Tuesday, May 18, 2010
  20. 20. TCR Update • Trusted Community Representative Applications were submitted between 13-24 April 2010. • 61 Total Applications ‣ 5 from LACNIC ‣ Background checks are being completed. Tuesday, May 18, 2010
  21. 21. KSK Ceremonies • First ceremony will take a place in ICANN KSK East Coast Facility in Culpeper,Virginia • 16 June 2010 ‣ More information will be posted on website http://www.root-dnssec.org Tuesday, May 18, 2010
  22. 22. Documentation Available at www.root-dnssec.org • Requirements • High Level Technical Architecture • DNSSEC Practice Statements (DPS) • Trust Anchor Publication • Deployment Plan • KSK Ceremonies Guide • TCR Proposal • Resolver Testing with a DURZ • DS Record Handling • DNSSEC Key Management Implementation Tuesday, May 18, 2010
  23. 23. Next Steps • 2010-06-16: First Key Signing Key (KSK) Ceremony ‣ Culpeper, US (ICANN East Coast KSK facility) • 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor ‣ More data analysis and dodging meetings and holidays. Tuesday, May 18, 2010
  24. 24. Questions & Answers Tuesday, May 18, 2010
  25. 25. rootsign@icann.org Tuesday, May 18, 2010
  26. 26. Root DNSSEC Design Team Joe Abley Mehmet Akcin David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren Dave Knight Tomofumi Okubo Jakob Schlyter Duane Wessels Tuesday, May 18, 2010

×