SlideShare a Scribd company logo

2017 DNSSEC KSK Rollover

APNIC
APNIC

This document discusses the 2017 rollover of the DNSSEC Key Signing Key (KSK) for the root zone. It provides details on the timeline and process for the rollover, including: - The new KSK ("KSK-2017") will be put into production in October 2017 to replace the existing KSK ("KSK-2010"). - DNS operators should follow Automated Updates of DNSSEC Trust Anchors (RFC 5011) to automatically obtain and trust the new KSK after July 2017. - Resources are available to help operators validate and obtain the new KSK manually if needed.

Internet
1 of 29
2017 DNSSEC KSK Rollover Rick Lamb | February 2017
| 2 To publicize the new Root Zone DNSSEC KSK Provide status, upcoming events, and contact information Provide helpful resources on the KSK roll 1 2 3 What is the purpose of this talk?
| 3 What is the Root Zone DNSSEC KSK? DATA ¤ The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy ¤ Public portion of the KSK is configuration parameter in DNS validating revolvers KSK
| 4 What does it mean to rollover the Root Zone DNSSEC KSK? ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017
| 5 What are the rollover’s milestones? Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication Now, onwards In-band (Automated Updates) Publication July 11, 2017 onwards Sign (Production Use) October 11, 2017 onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 from systems Dates TBD, 2018
| 6 How can the new key be recognized? . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D "Root" ¤ The KSK-2017’s Key Tag is 20326 ¤ The Delegation Signer (DS) resource record for KSK-2017 is Note: liberties taken with formatting for presentation purposes
| 7 What does the new DNSKEY Resource Record look like? . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" ¤ For KSK-2017, the DNSKEY resource record is Note: liberties taken with formatting for presentation purposes
| 8
| 9 Why are there DS and DNSKEY forms of KSK-2017? ¤ Tools that you will use to manage DNSSEC trust anchor configurations work on either the DS form, the DNSKEY form or both ¤ Per tool, historical reasons ¤ The DS record contains a hash of KSK-2017 ¤ The DNSKEY record contains the public key of KSK-2017 ¤ Consult your tool’s documentation to know which is appropriate
| 10 What is the state of the system? ¤ Sunny, as in “sunny day scenario” ¤ We are changing the KSK under good conditions ¤ Leverage trust in KSK-2010 to distribute KSK-2017 ¤ Recommended course of action – rely on RFC 5011’s Automated Updates of DNSSEC Trust Anchors protocol ¤ Why mention this? ¤ Alternative to Automated Updates is bootstrapping (or establishing an initial state of trust in) a trust anchor ¤ That would be necessary in stormy (emergency) conditions
| 11 What is Automated Updates of DNSSEC Trust Anchors? ¤ Automated Updates of DNSSEC Trust Anchors (RFC 5011) ¤ Use the current trust anchor(s) to learn new ¤ To allow for unattended DNSSEC validator operations ¤ Based on "time" – if a new one appears and no one complains for some specified time, it can be trusted ¤ Defined "add hold" time is 30 days
| 12 How does this look on a calendar? KSK-2017 appears in DNS KSK-2017 should be trusted KSK-2017 starts signing
| 13 What does it mean if you rely on Automated Updates? ¤ On 11 July 2017 ¤ KSK-2017's DNSKEY record will appear in the DNS root key set ¤ Tools following RFC 5011 will start counting days ¤ After 11 August 2017 (give or take a day) ¤ Your tool should see KSK-2017 in its trust anchor database ¤ If not, debugging is needed, you have a few weeks to fix ¤ (Don't panic if it it's not immediate, remember time zone, etc.) ¤ On 11 October 2017 ¤ KSK-2017 goes "live," validation ought to be confirmed
| 14 What is favorable about Automatic Updates? ¤ Many DNSSEC validation tools have RFC 5011 support built-in ¤ The support needs to be configured properly, consult your administrator guide ¤ All in all, nothing an operator can't handle ¤ You can choose to "do it the hard way" ¤ You do have options ¤ We are providing the keys in different ways to help
| 15 Is Automated Updates or a manual approach preferred? ¤ Mindful that the choice is a matter of local policy ¤ DNSSEC validation is for the benefit of the receiver ¤ Not all operational environments are the same, not all validating tools implement Automated Updates ¤ We are doing out or best to accommodate different approaches ¤ Automated Updates is likely the preferred approach ¤ Relies only on what has been trusted before ¤ It's the most reliable/stable approach, simplest basis for trust
| 16 How can the new key be obtained and verified automatically? ¤ If you are DNSSEC validating with KSK-2010 ¤ You can simply follow Automated Updates of DNSSEC Trust Anchors by configuring your tool of choice to do so
| 17 How can the new key be obtained and verified manually? ¤ Via the official IANA trust anchor XML file at https://data.iana.org/root-anchors/root-anchors.xml ¤ Contains the same information as a DS record for KSK-2017 ¤ Validate root-anchors.xml with the detached signature at https://data.iana.org/root-anchors/root-anchors.p7s ¤ Via DNS (i.e., ask a root server for “./IN/DNSKEY”) ¤ Validate the KSK-2017 by comparison with other trusted copies ¤ Via “Other means” ...
| 18 What “other means” for a manual approach? ¤ Most software/OS distributions of DNSSEC ¤ Embed copies of the KSK (now KSK-2010, later KSK-2017) ¤ In contact with as many distributors as possible ¤ Compare with the key from these slides ¤ If you trust the presentation copy you've seen here ¤ Obtain a copy from another operator, or other trusted source ¤ How well do you trust "them"? ¤ Perhaps it will be on a trinket too ¤ Not promising one, but...
| 19 What is get_trust_anchor.py? ¤ Tool that retrieves "https://data.iana.org/root-anchors/root- anchors.xml" and validates all active root KSK records https://github.com/kirei/get_trust_anchor ¤ Contains extensive in-code comments/documentation ¤ Download & run in python v2.7, v3 or newer $ python get_trust_anchor.py ¤ Writes DS and DNSKEY records to files that can be used to configure DNSSEC validators
| 20 What does an operator need to do? ¤ Be aware whether DNSSEC is enabled in your servers ¤ Be aware of how trust is evaluated in your operations ¤ Test/verify your set ups ¤ Inspect configuration files, are they (also) up to date? ¤ If DNSSEC validation is enabled or planned in your system ¤ Have a plan for participating in the KSK rollover ¤ Know the dates, know the symptoms, solutions
| 21 What tools are available for DNSSEC validation? ¤ ISC's BIND ¤ NLnet Lab's Unbound ¤ Microsoft Windows ¤ Nominum Vantio ¤ CZnic's Knot Resolver ¤ DNSMASQ ¤ Secure64 DNS Cache ¤ PowerDNS Recursor
| 22 What is special about BIND? ¤ Blog post from ISC https://www.isc.org/blogs/2017-root-key-rollover-what-does-it- mean-for-bind-users/ ¤ Unique to BIND ¤ Because of BIND's long DNSSEC history, some "named.conf" files may have to be updated despite tech-refresh of BIND versions ¤ Notably, the introduction of managed-keys in February 2010, (ISC's version 9.7) an update to trusted-keys ¤ I.e., Check pre-February 2010 configurations!
| 23 What about Microsoft Server? ¤ Extensive Documentation ¤ DNSSEC and Windows: Get Ready, 'Cause Here It Comes! (2010) https://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/W SV333 ¤ DNSSEC in Windows Server 2012 (updated 2014) https://technet.microsoft.com/library/dn593694
| 24 What about other tools? ¤ Unbound https://schd.ws/hosted_files/icann572016/49/Jaap-Akkerhuis-Unbound- KSK-rollover.pdf ¤ PowerDNS https://doc.powerdns.com/md/recursor/dnssec/#trust-anchor-management ¤ Knot Resolver https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec ¤ DNSMASQ http://www.thekelleys.org.uk/dnsmasq/CHANGELOG (see v2.69 notes)
| 25 What are signs of a DNSSEC problem related to the rollover? ¤ Problems caused by IPv6 fragmentation-related issues ¤ DNSSEC validation fails for everything, resulting from an inability to get the Root Zone DNSKEY set with KSK-2017 ¤ Look for a large number of queries leaving a recursive server "retrying" the question ¤ Problems caused by using the wrong trust anchor ¤ DNSSEC validation fails for everything, resulting from an inability to build a chain of trust ¤ Look in logs for check failures, implementation specific
| 26 What are the steps to recovery? 1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!) 2. Debug. If the problem is the trust anchor, find out why it isn't correct ¤Did RFC 5011 fail? Did configuration tools fail to update the key? ¤If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments 3. Test the recovery. Make sure your fixes take hold
| 27 What educational/informational resources are available? ¤ ICANN organizes KSK rollover information here https://www.icann.org/resources/pages/ksk-rollover ¤ Link to that page can be found on ICANN's main web page under "Quicklinks" ¤ Contains links to what's been covered in this presentation, the get_trust_anchor.py script and information on ICANN's live testbeds
| 28 What ICANN's live test bed resources? ¤ ICANN is finalizing a test bed to allow operators to test whether configurations follow Automated Updates ¤ The goal is to use production settings with real-but-test DNS zones, running in real time ¤ A full test will need to run more than 30 days ¤ Information on the test bed will appear on the ICANN KSK rollover page https://www.icann.org/resources/pages/ksk-rollover ¤ Accelerated test bed has been available at https://www.toot-servers.net
| 29 Join the ksk-rollover@icann.org mailing list Archives: https://mm.icann.org/listinfo/ksk-rollover KSK-Roll Website: https://www.icann.org/kskroll Thank You and Questions How can you engage with ICANN? flickr.com/photos/icann linkedin.com/company/icann twitter.com/icann Follow #Keyroll facebook.com/icannorg weibo.com/ICANNorg youtube.com/user/icannnews slideshare.net/icannpresentations soundcloud.com/icann

Recommended

The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
APNIC
 
LOCKSS Practical testing
LOCKSS Practical testingLOCKSS Practical testing
LOCKSS Practical testing
kaarefc
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
zmoly
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEA
NGINX, Inc.
 

Recommended

The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
APNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
APNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
APNIC
 
LOCKSS Practical testing
LOCKSS Practical testingLOCKSS Practical testing
LOCKSS Practical testing
kaarefc
 
Nagios 3
Nagios 3Nagios 3
Nagios 3
zmoly
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
APNIC
 
NGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEANGINX ADC: Basics and Best Practices – EMEA
NGINX ADC: Basics and Best Practices – EMEA
NGINX, Inc.
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
Jean-Baptiste Trystram
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
Deploy360 Programme (Internet Society)
 
Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19
NGINX, Inc.
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
NGINX, Inc.
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
Angel Borroy López
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
Bangladesh Network Operators Group
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best Practices
NGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATS
wallyqs
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
APNIC
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 

More Related Content

What's hot

Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
NGINX, Inc.
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
NGINX, Inc.
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
NGINX, Inc.
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
NGINX, Inc.
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
NGINX, Inc.
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best Practices
NGINX, Inc.
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
NGINX, Inc.
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATS
wallyqs
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
NGINX, Inc.
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 

What's hot (20)

OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEAModSecurity 3.0 and NGINX: Getting Started - EMEA
ModSecurity 3.0 and NGINX: Getting Started - EMEA
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEATLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
TLS 1.3 and Other New Features in NGINX Plus R17 and NGINX Open Source EMEA
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19Architecting for now & the future with NGINX London April 19
Architecting for now & the future with NGINX London April 19
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
What’s New in NGINX Ingress Controller for Kubernetes Release 1.5.0
 
Alfresco Certificates
Alfresco Certificates Alfresco Certificates
Alfresco Certificates
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
NGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best PracticesNGINX ADC: Basics and Best Practices
NGINX ADC: Basics and Best Practices
 
MRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker PatternMRA AMA Part 7: The Circuit Breaker Pattern
MRA AMA Part 7: The Circuit Breaker Pattern
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATS
 
NGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEANGINX Basics: Ask Me Anything – EMEA
NGINX Basics: Ask Me Anything – EMEA
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 

Similar to 2017 DNSSEC KSK Rollover

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Jim Czuprynski
 
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
Severalnines
 
Net app ecmlp2495163
Net app ecmlp2495163Net app ecmlp2495163
Net app ecmlp2495163
forum4user
 

Similar to 2017 DNSSEC KSK Rollover (20)

NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK Roll
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
 
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
Vote Early, Vote Often: From Napkin to Canvassing Application in a Single Wee...
 
Provisioning Servers Made Easy
Provisioning Servers Made EasyProvisioning Servers Made Easy
Provisioning Servers Made Easy
 
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
Webinar slides: How to deploy and manage HAProxy, MaxScale or ProxySQL with C...
 
ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017ICANN Presentation - iWeek2017
ICANN Presentation - iWeek2017
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Net app ecmlp2495163
Net app ecmlp2495163Net app ecmlp2495163
Net app ecmlp2495163
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
Oracle E-Business Suite On Oracle Cloud
Oracle E-Business Suite On Oracle CloudOracle E-Business Suite On Oracle Cloud
Oracle E-Business Suite On Oracle Cloud
 
All in one
All in oneAll in one
All in one
 
RP11_XaviertTorrentGorjon
RP11_XaviertTorrentGorjonRP11_XaviertTorrentGorjon
RP11_XaviertTorrentGorjon
 
Deploying The NSX Manager Virtual Appliance
Deploying The NSX Manager Virtual ApplianceDeploying The NSX Manager Virtual Appliance
Deploying The NSX Manager Virtual Appliance
 
OpenStack with OpenDaylight
OpenStack with OpenDaylightOpenStack with OpenDaylight
OpenStack with OpenDaylight
 
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic AlgorithmsChallenges To Deploying New DNSSEC Cryptographic Algorithms
Challenges To Deploying New DNSSEC Cryptographic Algorithms
 
Introduction to Stacki - World's fastest Linux server provisioning Tool
Introduction to Stacki - World's fastest Linux server provisioning ToolIntroduction to Stacki - World's fastest Linux server provisioning Tool
Introduction to Stacki - World's fastest Linux server provisioning Tool
 

More from APNIC

More from APNIC (20)

Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 

Recently uploaded

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 

Recently uploaded (12)

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 

2017 DNSSEC KSK Rollover

  • 1. 2017 DNSSEC KSK Rollover Rick Lamb | February 2017
  • 2. | 2 To publicize the new Root Zone DNSSEC KSK Provide status, upcoming events, and contact information Provide helpful resources on the KSK roll 1 2 3 What is the purpose of this talk?
  • 3. | 3 What is the Root Zone DNSSEC KSK? DATA ¤ The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy ¤ Public portion of the KSK is configuration parameter in DNS validating revolvers KSK
  • 4. | 4 What does it mean to rollover the Root Zone DNSSEC KSK? ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017
  • 5. | 5 What are the rollover’s milestones? Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication Now, onwards In-band (Automated Updates) Publication July 11, 2017 onwards Sign (Production Use) October 11, 2017 onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 from systems Dates TBD, 2018
  • 6. | 6 How can the new key be recognized? . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D "Root" ¤ The KSK-2017’s Key Tag is 20326 ¤ The Delegation Signer (DS) resource record for KSK-2017 is Note: liberties taken with formatting for presentation purposes
  • 7. | 7 What does the new DNSKEY Resource Record look like? . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" ¤ For KSK-2017, the DNSKEY resource record is Note: liberties taken with formatting for presentation purposes
  • 8. | 8
  • 9. | 9 Why are there DS and DNSKEY forms of KSK-2017? ¤ Tools that you will use to manage DNSSEC trust anchor configurations work on either the DS form, the DNSKEY form or both ¤ Per tool, historical reasons ¤ The DS record contains a hash of KSK-2017 ¤ The DNSKEY record contains the public key of KSK-2017 ¤ Consult your tool’s documentation to know which is appropriate
  • 10. | 10 What is the state of the system? ¤ Sunny, as in “sunny day scenario” ¤ We are changing the KSK under good conditions ¤ Leverage trust in KSK-2010 to distribute KSK-2017 ¤ Recommended course of action – rely on RFC 5011’s Automated Updates of DNSSEC Trust Anchors protocol ¤ Why mention this? ¤ Alternative to Automated Updates is bootstrapping (or establishing an initial state of trust in) a trust anchor ¤ That would be necessary in stormy (emergency) conditions
  • 11. | 11 What is Automated Updates of DNSSEC Trust Anchors? ¤ Automated Updates of DNSSEC Trust Anchors (RFC 5011) ¤ Use the current trust anchor(s) to learn new ¤ To allow for unattended DNSSEC validator operations ¤ Based on "time" – if a new one appears and no one complains for some specified time, it can be trusted ¤ Defined "add hold" time is 30 days
  • 12. | 12 How does this look on a calendar? KSK-2017 appears in DNS KSK-2017 should be trusted KSK-2017 starts signing
  • 13. | 13 What does it mean if you rely on Automated Updates? ¤ On 11 July 2017 ¤ KSK-2017's DNSKEY record will appear in the DNS root key set ¤ Tools following RFC 5011 will start counting days ¤ After 11 August 2017 (give or take a day) ¤ Your tool should see KSK-2017 in its trust anchor database ¤ If not, debugging is needed, you have a few weeks to fix ¤ (Don't panic if it it's not immediate, remember time zone, etc.) ¤ On 11 October 2017 ¤ KSK-2017 goes "live," validation ought to be confirmed
  • 14. | 14 What is favorable about Automatic Updates? ¤ Many DNSSEC validation tools have RFC 5011 support built-in ¤ The support needs to be configured properly, consult your administrator guide ¤ All in all, nothing an operator can't handle ¤ You can choose to "do it the hard way" ¤ You do have options ¤ We are providing the keys in different ways to help
  • 15. | 15 Is Automated Updates or a manual approach preferred? ¤ Mindful that the choice is a matter of local policy ¤ DNSSEC validation is for the benefit of the receiver ¤ Not all operational environments are the same, not all validating tools implement Automated Updates ¤ We are doing out or best to accommodate different approaches ¤ Automated Updates is likely the preferred approach ¤ Relies only on what has been trusted before ¤ It's the most reliable/stable approach, simplest basis for trust
  • 16. | 16 How can the new key be obtained and verified automatically? ¤ If you are DNSSEC validating with KSK-2010 ¤ You can simply follow Automated Updates of DNSSEC Trust Anchors by configuring your tool of choice to do so
  • 17. | 17 How can the new key be obtained and verified manually? ¤ Via the official IANA trust anchor XML file at https://data.iana.org/root-anchors/root-anchors.xml ¤ Contains the same information as a DS record for KSK-2017 ¤ Validate root-anchors.xml with the detached signature at https://data.iana.org/root-anchors/root-anchors.p7s ¤ Via DNS (i.e., ask a root server for “./IN/DNSKEY”) ¤ Validate the KSK-2017 by comparison with other trusted copies ¤ Via “Other means” ...
  • 18. | 18 What “other means” for a manual approach? ¤ Most software/OS distributions of DNSSEC ¤ Embed copies of the KSK (now KSK-2010, later KSK-2017) ¤ In contact with as many distributors as possible ¤ Compare with the key from these slides ¤ If you trust the presentation copy you've seen here ¤ Obtain a copy from another operator, or other trusted source ¤ How well do you trust "them"? ¤ Perhaps it will be on a trinket too ¤ Not promising one, but...
  • 19. | 19 What is get_trust_anchor.py? ¤ Tool that retrieves "https://data.iana.org/root-anchors/root- anchors.xml" and validates all active root KSK records https://github.com/kirei/get_trust_anchor ¤ Contains extensive in-code comments/documentation ¤ Download & run in python v2.7, v3 or newer $ python get_trust_anchor.py ¤ Writes DS and DNSKEY records to files that can be used to configure DNSSEC validators
  • 20. | 20 What does an operator need to do? ¤ Be aware whether DNSSEC is enabled in your servers ¤ Be aware of how trust is evaluated in your operations ¤ Test/verify your set ups ¤ Inspect configuration files, are they (also) up to date? ¤ If DNSSEC validation is enabled or planned in your system ¤ Have a plan for participating in the KSK rollover ¤ Know the dates, know the symptoms, solutions
  • 21. | 21 What tools are available for DNSSEC validation? ¤ ISC's BIND ¤ NLnet Lab's Unbound ¤ Microsoft Windows ¤ Nominum Vantio ¤ CZnic's Knot Resolver ¤ DNSMASQ ¤ Secure64 DNS Cache ¤ PowerDNS Recursor
  • 22. | 22 What is special about BIND? ¤ Blog post from ISC https://www.isc.org/blogs/2017-root-key-rollover-what-does-it- mean-for-bind-users/ ¤ Unique to BIND ¤ Because of BIND's long DNSSEC history, some "named.conf" files may have to be updated despite tech-refresh of BIND versions ¤ Notably, the introduction of managed-keys in February 2010, (ISC's version 9.7) an update to trusted-keys ¤ I.e., Check pre-February 2010 configurations!
  • 23. | 23 What about Microsoft Server? ¤ Extensive Documentation ¤ DNSSEC and Windows: Get Ready, 'Cause Here It Comes! (2010) https://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/W SV333 ¤ DNSSEC in Windows Server 2012 (updated 2014) https://technet.microsoft.com/library/dn593694
  • 24. | 24 What about other tools? ¤ Unbound https://schd.ws/hosted_files/icann572016/49/Jaap-Akkerhuis-Unbound- KSK-rollover.pdf ¤ PowerDNS https://doc.powerdns.com/md/recursor/dnssec/#trust-anchor-management ¤ Knot Resolver https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec ¤ DNSMASQ http://www.thekelleys.org.uk/dnsmasq/CHANGELOG (see v2.69 notes)
  • 25. | 25 What are signs of a DNSSEC problem related to the rollover? ¤ Problems caused by IPv6 fragmentation-related issues ¤ DNSSEC validation fails for everything, resulting from an inability to get the Root Zone DNSKEY set with KSK-2017 ¤ Look for a large number of queries leaving a recursive server "retrying" the question ¤ Problems caused by using the wrong trust anchor ¤ DNSSEC validation fails for everything, resulting from an inability to build a chain of trust ¤ Look in logs for check failures, implementation specific
  • 26. | 26 What are the steps to recovery? 1. Stop the tickets! It's OK to turn off DNSSEC validation while you fix (but do turn it back on!) 2. Debug. If the problem is the trust anchor, find out why it isn't correct ¤Did RFC 5011 fail? Did configuration tools fail to update the key? ¤If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments 3. Test the recovery. Make sure your fixes take hold
  • 27. | 27 What educational/informational resources are available? ¤ ICANN organizes KSK rollover information here https://www.icann.org/resources/pages/ksk-rollover ¤ Link to that page can be found on ICANN's main web page under "Quicklinks" ¤ Contains links to what's been covered in this presentation, the get_trust_anchor.py script and information on ICANN's live testbeds
  • 28. | 28 What ICANN's live test bed resources? ¤ ICANN is finalizing a test bed to allow operators to test whether configurations follow Automated Updates ¤ The goal is to use production settings with real-but-test DNS zones, running in real time ¤ A full test will need to run more than 30 days ¤ Information on the test bed will appear on the ICANN KSK rollover page https://www.icann.org/resources/pages/ksk-rollover ¤ Accelerated test bed has been available at https://www.toot-servers.net
  • 29. | 29 Join the ksk-rollover@icann.org mailing list Archives: https://mm.icann.org/listinfo/ksk-rollover KSK-Roll Website: https://www.icann.org/kskroll Thank You and Questions How can you engage with ICANN? flickr.com/photos/icann linkedin.com/company/icann twitter.com/icann Follow #Keyroll facebook.com/icannorg weibo.com/ICANNorg youtube.com/user/icannnews slideshare.net/icannpresentations soundcloud.com/icann