SlideShare a Scribd company logo

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK

Download as PPTX, PDF
P
Punky Duero

This presentation was delivered during DefCon 25 at the Crypto Village. It provides a reminder and timeline of the KSK Rollover, a tour of the Key Management Facility and an overview of the Key Ceremonies.

Internet
1 of 30
The Key Management Facility of the Root Zone DNSSEC Key Signing Key (KSK) DEF CON 25 – CRYPTO & PRIVACY VILLAGE 30 July 2017 Punky Duero
| 2 What is ICANN? Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the top-level of the Internet’s system of unique identifiers via global, multistakeholder, bottom-up consensus policy process, which is implemented via the IANA Functions • Protocol Parameters • Number Resources • Domain Name Internet Assigned Numbers Authority (IANA) Functions
| 3| 3 Video Clip: The Blacklist Redemption S01-E04
| 4 Agenda Root Zone DNSSEC KSK Rollover Key Management Facility The Key Ceremony 1 2 3
| 5| 5 Root Zone DNSSEC KSK Rollover
| 6 The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy KSK ZSK ZSK KSK ZSK KSK Root Zone DNSSEC KSK DNSSEC = “DNS Security Extensions” DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS)
| 7 Root Zone DNSSEC KSK Rollover KSK-2010 KSK-2017 New Key called KSK-2017 RSA-2048RSA-2048 Old Key called KSK-2017 (Operational)
| 8 . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= Root Zone DNSSEC KSK – KSK-2017
| 9 How To Update Your System If your software supports automated updates of DNSSEC trust anchors (RFC 5011):  The KSK will be updated automatically at the appropriate time  You do not need to take additional action o Devices that are offline during the rollover will have to be updated manually if they are brought online after the rollover is finished If your software does not support automated updates of DNSSEC trust anchors (RFC 5011) or is not configured to use it:  The software’s trust anchor file must be manually updated  The new root zone KSK is now available here after March 2017: Root Anchors data.iana.org/root-anchors
| 10 When Does the Rollover Take Place? The KSK rollover is a process, not a single event The following dates are key milestones in the process when end users may experience interruption in Internet services:
| 11 Check to See If Your Systems Are Ready ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: go.icann.org/KSKtest
| 12| 12 Where is the Root Zone DNSSEC KSK?
| 13 Hardware Security Module (HSM) FIPS 140-2 Level 4 Certified • Private Key for KSK-2010 • Private Key for KSK-2017 Photo: www.dj.cx
| 14 Smart Cards Smart Cards Photo: www.dj.cx
| 15 Trusted Community Representative (TCR) Photo by Kim Davies Crypto Officer (CO) Each smart card is assigned to different community members, known as Trusted Community Representatives
| 16 Safe # 2 – Credential Safe Smart Cards Can only be opened by a designated staff, Credential Safe Controller Photo: www.dj.cx Photo: Olaf Kolkman
| 17 Safe #1 – Hardware Safe Hardware Security Module (HSM) Laptop Can only be opened by a designated staff, Hardware Safe Controller Photo: www.dj.cx
| 18 Safe Room Photo: Kim Davies Photo: www.dj.cx Photo: www.dj.cx
| 19 Ceremony Room Mantrap Photo: www.dj.cx
| 20| 20 What is a Key Ceremony?
| 21 Team Ceremony Key Ceremony Not like this Ceremony Tea Ceremony
| 22 Key Ceremony Photo by Kim Davies
| 23 Key Signing Ceremony Trusted Community Representatives Enable the HSMs Ceremony Administrator Performs the Ceremony using scripts Internal Witness Attests the ceremony, signs affidavit Hardware Safe Controller Opens Safe #1 Credential Safe Controller Opens Safe #2 System Administrator Technical Support and Evidence Collection Third-Party Auditors Observe and Attest Root Zone Management Partner Bring Key Signing Request Minimum Participants
| 24| 24 Where is the Key Management Facility?
| 25 Key Management Facility (KMF) US West KMF El Segundo, California US East KMF Culpeper, Virginia
| 26 Trusted Community Representatives (TCRs) Recovery Key Shareholders (RKSH) Photo: Kim Davies
| 27 Trusted Community Representatives (TCRs) Recovery Key Shareholders (RKSH) Crypto Officer (CO) KMF EAST Crypto Officer (CO) WEST 21 TCRs!
| 28 SOC 3 Certification
| 29 Photos Photo by Olaf Kolkman Photo: Kim Davies Photo: Kim Davies Photo: www.dj.cx Photo: www.dj.cx Photo: www.dj.cx Photo: www.dj.cx
| 30 Thank You linkedin/company/icann @punkyduero youtube.com/icannnews Punky Duero Email: punky.duero@icann.org www.icann.org ICANN provided KSK Rollover Information and Tools: https://www.icann.org/kskroll https://github.com/iana-org/get-trust-anchor https://go.icann.org/KSKtest Root Zone DNSSEC Trust Anchor: https://data.iana.org/root-anchors Call for TCRs: https://www.iana.org/help/tcr-application

Recommended

Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
ION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyDeploy360 Programme (Internet Society)
 
Tech Track -- Campbell
Tech Track -- CampbellTech Track -- Campbell
Tech Track -- CampbellPeter Campbell
 
F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)Priyanka Aash
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 

Recommended

Lancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope and-cisco-asa-for-advanced-security
Lancope and-cisco-asa-for-advanced-securityLancope, Inc.
 
ION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyION Djibouti: KENIC DNSSEC Case Study
ION Djibouti: KENIC DNSSEC Case StudyDeploy360 Programme (Internet Society)
 
Tech Track -- Campbell
Tech Track -- CampbellTech Track -- Campbell
Tech Track -- CampbellPeter Campbell
 
F5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityF5 GOV Round Table - Application Centeric Security
F5 GOV Round Table - Application Centeric SecurityTzoori Tamam
 
Spider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecuritySpider & F5 Round Table - Application Centric Security
Spider & F5 Round Table - Application Centric SecurityTzoori Tamam
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersMirantis
 
SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)SACON - Immutable architecture (Nilanjan De)
SACON - Immutable architecture (Nilanjan De)Priyanka Aash
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowCisco CSIRT Case Study: Forensic Investigations with NetFlow
Cisco CSIRT Case Study: Forensic Investigations with NetFlowLancope, Inc.
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyAdeel Ahmed
 
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian Ph.D.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point Software Technologies
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureDevSecOpsSg
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
Intro To ECAT
Intro To ECATIntro To ECAT
Intro To ECATcloeven
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosNew Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosCaitlin Magat
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010Affan Basalamah
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe NetworksPriyanka Aash
 
XenAppDoc
XenAppDocXenAppDoc
XenAppDocMatt R
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutionsMaytal Levi
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackCloudflare
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationCSNP
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?Deploy360 Programme (Internet Society)
 

More Related Content

What's hot

Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyAdeel Ahmed
 
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Tal Lavian Ph.D.
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 Lancope, Inc.
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureDevSecOpsSg
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
 
Intro To ECAT
Intro To ECATIntro To ECAT
Intro To ECATcloeven
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementAlgoSec
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)Michael Boman
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomwareAlgoSec
 
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosNew Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosCaitlin Magat
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010Affan Basalamah
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...Robert Conti Jr.
 
(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe NetworksPriyanka Aash
 
XenAppDoc
XenAppDocXenAppDoc
XenAppDocMatt R
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutionsMaytal Levi
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackCloudflare
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationCSNP
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
 

What's hot (20)

Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
 
Application layer Security in IoT: A Survey
Application layer Security in IoT: A SurveyApplication layer Security in IoT: A Survey
Application layer Security in IoT: A Survey
 
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
Enabling Active Flow Manipulation In Silicon-based Network Forwarding Engines
 
What's New in StealthWatch v6.5
What's New in StealthWatch v6.5 What's New in StealthWatch v6.5
What's New in StealthWatch v6.5
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
Implementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices InfrastructureImplementing Docker Load Balancing in Microservices Infrastructure
Implementing Docker Load Balancing in Microservices Infrastructure
 
CNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data CollectionCNIT 152: 6 Scoping & 7 Live Data Collection
CNIT 152: 6 Scoping & 7 Live Data Collection
 
Intro To ECAT
Intro To ECATIntro To ECAT
Intro To ECAT
 
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy ManagementCisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
Cisco ACI & Hybrid Networks - Breaking Down Silos with Central Policy Management
 
SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)SoHo Honeypot (LUGS)
SoHo Honeypot (LUGS)
 
2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware2021 01-13 reducing risk-of_ransomware
2021 01-13 reducing risk-of_ransomware
 
New Products Overview: Use Cases and Demos
New Products Overview: Use Cases and DemosNew Products Overview: Use Cases and Demos
New Products Overview: Use Cases and Demos
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010
 
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
ISS Capstone - Martinez Technology Consulting and Cedar Hills Church Security...
 
(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks(SACON) M T Karunakaran  - Quantum safe Networks
(SACON) M T Karunakaran  - Quantum safe Networks
 
XenAppDoc
XenAppDocXenAppDoc
XenAppDoc
 
Algosec security policy management for financial institutions
Algosec security policy management for financial institutionsAlgosec security policy management for financial institutions
Algosec security policy management for financial institutions
 
What You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS AttackWhat You Should Know Before The Next DDoS Attack
What You Should Know Before The Next DDoS Attack
 
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-SegmentationGuardicore - Shrink Your Attack Surface with Micro-Segmentation
Guardicore - Shrink Your Attack Surface with Micro-Segmentation
 
Cisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your NetworkCisco Network Insider: Three Ways to Secure your Network
Cisco Network Insider: Three Ways to Secure your Network
 

Similar to DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 
F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureDSorensenCPR
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People SPC Adriatics
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at CitrixPerforce
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017dotZADNA
 
Vpn security agenda by cover our privacy
Vpn security agenda by cover our privacyVpn security agenda by cover our privacy
Vpn security agenda by cover our privacyEric Fedewa
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solutionmatthew.maisel
 
Secure collab on prem hikmat
Secure collab on prem hikmatSecure collab on prem hikmat
Secure collab on prem hikmatCisco Canada
 
Secure collab on premise
Secure collab on premiseSecure collab on premise
Secure collab on premiseCisco Canada
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatAlan Yau Ti Dun
 

Similar to DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK (20)

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
F5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructureF5 and Infoblox deliver complete secured DNS infrastructure
F5 and Infoblox deliver complete secured DNS infrastructure
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 
Securing the Helix Platform at Citrix
Securing the Helix Platform at CitrixSecuring the Helix Platform at Citrix
Securing the Helix Platform at Citrix
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017
 
Cisco SecureX.pdf
Cisco SecureX.pdfCisco SecureX.pdf
Cisco SecureX.pdf
 
Vpn security agenda by cover our privacy
Vpn security agenda by cover our privacyVpn security agenda by cover our privacy
Vpn security agenda by cover our privacy
 
The 300 Leonidas Solution
The 300 Leonidas SolutionThe 300 Leonidas Solution
The 300 Leonidas Solution
 
Secure collab on prem hikmat
Secure collab on prem hikmatSecure collab on prem hikmat
Secure collab on prem hikmat
 
Secure collab on premise
Secure collab on premiseSecure collab on premise
Secure collab on premise
 
What's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security ThreatWhat's Next : A Trillion Event Logs, A Million Security Threat
What's Next : A Trillion Event Logs, A Million Security Threat
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 

Recently uploaded

Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...akbard9823
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 

Recently uploaded (20)

Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
Sushant Golf City / best call girls in Lucknow | Service-oriented sexy call g...
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICECall Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
Call Girls Service Dwarka @9999965857 Delhi 🫦 No Advance VVIP 🍎 SERVICE
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 

DefCon 25 - The Key Management Facility of the Root Zone DNSSEC KSK

  • 1. The Key Management Facility of the Root Zone DNSSEC Key Signing Key (KSK) DEF CON 25 – CRYPTO & PRIVACY VILLAGE 30 July 2017 Punky Duero
  • 2. | 2 What is ICANN? Internet Corporation for Assigned Names and Numbers (ICANN) coordinates the top-level of the Internet’s system of unique identifiers via global, multistakeholder, bottom-up consensus policy process, which is implemented via the IANA Functions • Protocol Parameters • Number Resources • Domain Name Internet Assigned Numbers Authority (IANA) Functions
  • 3. | 3| 3 Video Clip: The Blacklist Redemption S01-E04
  • 4. | 4 Agenda Root Zone DNSSEC KSK Rollover Key Management Facility The Key Ceremony 1 2 3
  • 5. | 5| 5 Root Zone DNSSEC KSK Rollover
  • 6. | 6 The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy KSK ZSK ZSK KSK ZSK KSK Root Zone DNSSEC KSK DNSSEC = “DNS Security Extensions” DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS)
  • 7. | 7 Root Zone DNSSEC KSK Rollover KSK-2010 KSK-2017 New Key called KSK-2017 RSA-2048RSA-2048 Old Key called KSK-2017 (Operational)
  • 8. | 8 . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= Root Zone DNSSEC KSK – KSK-2017
  • 9. | 9 How To Update Your System If your software supports automated updates of DNSSEC trust anchors (RFC 5011):  The KSK will be updated automatically at the appropriate time  You do not need to take additional action o Devices that are offline during the rollover will have to be updated manually if they are brought online after the rollover is finished If your software does not support automated updates of DNSSEC trust anchors (RFC 5011) or is not configured to use it:  The software’s trust anchor file must be manually updated  The new root zone KSK is now available here after March 2017: Root Anchors data.iana.org/root-anchors
  • 10. | 10 When Does the Rollover Take Place? The KSK rollover is a process, not a single event The following dates are key milestones in the process when end users may experience interruption in Internet services:
  • 11. | 11 Check to See If Your Systems Are Ready ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: go.icann.org/KSKtest
  • 12. | 12| 12 Where is the Root Zone DNSSEC KSK?
  • 13. | 13 Hardware Security Module (HSM) FIPS 140-2 Level 4 Certified • Private Key for KSK-2010 • Private Key for KSK-2017 Photo: www.dj.cx
  • 14. | 14 Smart Cards Smart Cards Photo: www.dj.cx
  • 15. | 15 Trusted Community Representative (TCR) Photo by Kim Davies Crypto Officer (CO) Each smart card is assigned to different community members, known as Trusted Community Representatives
  • 16. | 16 Safe # 2 – Credential Safe Smart Cards Can only be opened by a designated staff, Credential Safe Controller Photo: www.dj.cx Photo: Olaf Kolkman
  • 17. | 17 Safe #1 – Hardware Safe Hardware Security Module (HSM) Laptop Can only be opened by a designated staff, Hardware Safe Controller Photo: www.dj.cx
  • 18. | 18 Safe Room Photo: Kim Davies Photo: www.dj.cx Photo: www.dj.cx
  • 20. | 20| 20 What is a Key Ceremony?
  • 21. | 21 Team Ceremony Key Ceremony Not like this Ceremony Tea Ceremony
  • 22. | 22 Key Ceremony Photo by Kim Davies
  • 23. | 23 Key Signing Ceremony Trusted Community Representatives Enable the HSMs Ceremony Administrator Performs the Ceremony using scripts Internal Witness Attests the ceremony, signs affidavit Hardware Safe Controller Opens Safe #1 Credential Safe Controller Opens Safe #2 System Administrator Technical Support and Evidence Collection Third-Party Auditors Observe and Attest Root Zone Management Partner Bring Key Signing Request Minimum Participants
  • 24. | 24| 24 Where is the Key Management Facility?
  • 25. | 25 Key Management Facility (KMF) US West KMF El Segundo, California US East KMF Culpeper, Virginia
  • 26. | 26 Trusted Community Representatives (TCRs) Recovery Key Shareholders (RKSH) Photo: Kim Davies
  • 27. | 27 Trusted Community Representatives (TCRs) Recovery Key Shareholders (RKSH) Crypto Officer (CO) KMF EAST Crypto Officer (CO) WEST 21 TCRs!
  • 28. | 28 SOC 3 Certification
  • 29. | 29 Photos Photo by Olaf Kolkman Photo: Kim Davies Photo: Kim Davies Photo: www.dj.cx Photo: www.dj.cx Photo: www.dj.cx Photo: www.dj.cx
  • 30. | 30 Thank You linkedin/company/icann @punkyduero youtube.com/icannnews Punky Duero Email: punky.duero@icann.org www.icann.org ICANN provided KSK Rollover Information and Tools: https://www.icann.org/kskroll https://github.com/iana-org/get-trust-anchor https://go.icann.org/KSKtest Root Zone DNSSEC Trust Anchor: https://data.iana.org/root-anchors Call for TCRs: https://www.iana.org/help/tcr-application

Editor's Notes

  1. KSK Rollover – Reminder and what’s going on KMF – Tour, Show and tell Key Ceremony – How is it related?
  2. Dan