4. 1.1. DNSSEC
• DNS Security Extensions
• A system to verify the authenticity of DNS “Data”
• Detecting cache poisoning, MITM…
• Data origin authentication and data integrity
• Authenticating name and type non-existence
5. 1.2. Progress
• 1378 TLDs in the root zone in total
• 1223 TLDs are signed
• 1213 TLDs have trust anchors
published as DS records in the root
zone
• 5 TLDs have trust anchors
published in the ISC DLV
Repository
6. 1.3. Timeline
Experimental
Announced
Partial
DS in Root
Operational
Internal
experimentation
Public
commitment
to deploy
Zone is signed
but not in
operation
Zone is signed
and its DS has
been published
Accepting signed
delegations and
DS in root
7. 1.3. Timeline
• 2010-12~
2013-03
Experimental
• 2013-04
Announced
• 2013-08
Partial
• 2013-09
DS in Root
• 2013-12
Operational
Experimental:
Software development
Risk analysis
Announced:
Hardware & software deployment
Training and drills
Partial:
Signed & roller
Observation & verification
DS in Root:
Generation & submission
Observation & verification
Operational:
Development and upgrades
Debugging
9. 2.1. Test-bed
1. Simulate the real
environment
2. DNS system
3. EPP
4. Sign zone
5. Key rotation
6. Emergency
response
7. …
HSM
FW
FW
USER REGISTRAR RT
FW
LB
SW
SW
DB SERVER
SERVERs
11. 2.3. Documents & Training
1. Deployment scheme
a) Make technical details clear
b) Arrange every task to people
c) Promote the work by time
2. Emergency plan
3. DPS
4. …
1. Basic knowledges about
DNSSEC
2. Operational skills
3. Emergency response
4. …
AnnouncedExperimental
13. 3.1. Keys
• Key type, algorithm and lens
Key Type Function Algorithm Lens NSEC/NSEC3
ZSK Sign RRSET
RSA-SHA256
1024
NSEC3
KSK Sign DNSKEY RRSET 2048
• Key rollover cycle and RRSIG period
Key Type Period Roll Overlap RRSIG Period
ZSK 100 day 90 day 10 day
30 day
KSK 13 month 12 month 30 day
• Different types of zones use different key pairs
15. 3.3. Switching Scheme
1. Several sites using anycast
2. On-line switching
3. Immediate verification
a) Part of servers received DNSSEC
zone data
b) Verify data
c) Online
d) No-dnssec off-line
e) Repeat
16. 3.4. Emergency Response Strategy
1. Emergency response strategy for every step;
2. Anycast ensure the availability of service;
3. If DNSSEC service in the main operation center is
down, secondary operation center can take over the
service shortly;
4. If DNSSEC service in sites is down, DNS service
(without DNSSEC) can take over the service in 10
minute;
5. Comprehensive checking mechanism.
17. 3.5. Submit DS in Root
1. Email
2. Online system
3. Check, check, check…
4. Validation
Partial DS in Root
20. • Zone signing is recommended to be executed in the HSM, the
basic procedures are as follows:
a) The primary master obtains RR from the registration database and
generates the original zone file;
b) The hidden primary master sends the original zone file to HSM;
c) HSM read the right keys;
d) HSM sign zone using keys;
e) HSM sends the signed
zone back to the hidden
primary master;
f) The signed zone are loaded onto
hidden primary master, which will
update to secondary
master servers.
4.1. Zone Signing
21. 4.2. Key Rollover
ZSK
• To prevent the keys from being cracked or
leaked out, ZSK should be replaced and
rotated on a regular basis;
• The ZSK roll-over policy is to adopt a pre-
publish mechanism (RFC4641);
• The validity period of each ZSK generated is
100 days and the roll-over cycle is 90 days.
KSK
• To prevent the keys from being cracked or
leaked out, ZSK should be replaced and
rotated on a regular basis;
• The ZSK roll-over policy is to adopt a pre-
publish mechanism (RFC4641);
• The validity period of each ZSK generated is
100 days and the roll-over cycle is 90 days.
22. 4.2. Key Rollover
• Steps (KSK)
• New KSK generation, resigning the zone with ZSK, KSK_old and
KSK_new
• Submit new DS to root & delete old DS
• KSK_old Revoke
• KSK_old delete
KSK_1
KSK_old
KSK_new Active
KSK_old Revoke
KSK_new
KSK_old Delete
KSK_new
300
days
KSK_new
KSK_new_2 Active
35
days
30
days
1 2 3
26. 5.1. Size
• Zone Size
− Opt-out
− Increased a little (7%)
• Packet Size
− RRSIG
− 2.5 times larger in average
Zone Size
No DNSSEC 700
DNSSEC 750
1
201
401
601
No DNSSEC DNSSEC
Mb
Packet size
No DNSSEC 170
DNSSEC 423
1
201
401
601
No DNSSEC DNSSEC
Byte• 73% DNSSEC query in usual
• After sub-domain and recursive nameservers
implemented DNSSEC, bandwidth costs will
be much larger
27. 5.2. Challenge
DDoS Attack
• QpS increased to 2.4 times larger
• Packet size increased to 700 Byte
average (1.65 times)
• Bandwidth reach 4 (2.4*1.65) times
larger than usual
Packet size
Usual 423
Attack 700
423
700
1
101
201
301
401
501
601
701
Usual Attack
Byte
Project Planning and Design Group
Responsible for the DNSSEC deployment of “.CN” and “.中国”
Hope we have a great time
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed.
Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed.
Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed.
Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
The hidden primary master obtains resource records from the “.CN” registration database and generates the original zone file;
The hidden primary master securely sends the original zone file to HSM;
HSM reads the configuration files for zone signing and generates the keys needed, including KSK and ZSK;
HSM executes zone signing using ZSK and KSK;
When zone signing is completed, HSM sends the files that have been signed back to the hidden primary master;
The zone files that have been signed are loaded onto the hidden primary master, which will then update data to the secondary master servers.
All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed.
Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
All pairs of keys (ZSK and KSK) in use are generated in the HSM in a secure way. The cryptographic module meets the standard of Chinese authorities and relevant international standards. Five key administrators account are generated during the HSM initialization process, and only more than half of them have passed identity authentication can the HSM be accessed.
Generation of keys is performed by well-trained key administrators. At least three key administrators (Appointing at least two system administrators and at least one System operator is allowed in an emergency situation) will be involved in the entire process of key generation and designated auditing personnel will be present to supervise and record the process.
Seminar
Now, let me introduce the OUTLINE of this seminar
First,
this slide shows the real change which occurred in .cn.
DNSSEC bring us bigger zone size and packet size.
luckly we use opt-out to reduce the zone size increase in the begging of deployment of .cn, it shows in picture1 that it only increase 50 Megabits;
But because the rrsig of the record, the response packet size increased to 2.5 times than noDNSSEC!
In order to make further inferences[ˈinfərənsiz] , we analysis the real traffic in CN, that there are already 68% dnssec query in usual! It’s the reason that the packet size increased to much larger than before!
It can be deduced that After sub-domain and recursive nameservers having been implemented DNSSEC, bandwidth costs will be much larger
But why there is so much dnssec query now? it requires us to do further research…
The last slide shows a small size ddos attack Recently
The qps increased to 2.4 times larger than usual, and Packet size increased to 700 Byte average (which is 1.65 times larger than usual), so the Bandwidth reach 4 (2.4*1.65) times.
It shows that After sub-domain and recursive nameservers having been implemented DNSSEC, the ddos attack Will cause a greater threat to cn.
So there is 3 challenges that we must faced,
How to push Second-tld open DNSSEC?
How to push Recursive open DNSSEC?
And How to face the pressure after 1) and 2)?
We have much more work to do…