SlideShare a Scribd company logo

The New Root Zone DNSSEC KSK

APNIC
APNIC

Presentation by Savenaca Vocea at APNIC 46 on Wednesday, 12 September 2018.

Internet
1 of 34
2017 DSSEC KSK Rollover Edward.Lewis@icann.org | FIRST TC | September 11, 2017 Current State of the Root Zone DNSSEC Keyroll Edward Lewis APNIC 46 12 September 2018
| 2 The Basics ¤ This talk is related to the Domain Name System, in particular, the security extensions made to it ¤ DNSSEC – DNS Security Extensions ¤ The addition of digital signatures to data, using a hierarchy of asymmetric cryptographic keys to achieve massive scale ¤ Signing – generate signatures ¤ Validation – checking signatures ¤ Two of the cryptographic roles defined for keys ¤ Key Signing Key – a key that signs a bundle of other keys ¤ Zone Signing Key – a key that is used to sign data
| 3 The Root Zone DNSSEC KSK DATA ¤ The Root Zone DNSSEC KSK is the top most cryptographic key in the DNSSEC validation hierarchy ¤ Public portion of the KSK is a configuration parameter in DNS validating revolvers KSK
| 4 Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017
| 5 Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017 Not a Typo A result of a "delay"
| 6 The Approach to the KSK Rollover ¤ The rollover process emerged from plans developed in 2015 ¤ Automated Updates of DNSSEC Trust Anchors ¤ RFC-Editor STD 74, also known as RFC 5011 ¤ Recommendations are for operators to rely on "RFC 5011" ¤ Some crucial milestones have already passed ¤ We are still adhering to it for the final phases ¤ In the future, we will likely rely on it again
| 7 Important Milestones Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication February 2, 2017, onwards Automated Updates Publication July 11, 2017, onwards Sign (Production Use) October 11, 2017, onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 Dates TBD, 2018
| 8 Important Milestones - Updated Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication February 2, 2017, onwards Automated Updates Publication July 11, 2017, onwards Sign (Production Use) October 11, 2018, tentative Revoke KSK-2010 TBD Remove KSK-2010 TBD
| 9 Why the Updated Milestones? ¤ When the rollover started there was no way to measure resolver configurations ¤ During the project, a new measure was invented, implemented and rolled out ¤ The new measure's results were at best confusing and concerning ¤ So the rollover was paused to have a look
| 10 The Measure ¤ A readiness measure invented in the IETF ¤ Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC), aka RFC 8145 ¤ Quickly turned into code ¤ Combined with a noticeable "tech refresh"
| 11 A Quick Look at Data
| 12 A Longer Look at The Data ¤ Verisign researcher, looking at two root servers ¤ Noticed that the number of DNSSEC Validators having only the KSK-2010 was uncomfortably high (7%) ¤ Results confirmed by separate ICANN research ¤ Feed of data from nearly all of the root servers ¤ Rates of "only KSK-2010" seemed to rise over time or as more reporters came on-line ¤ But data is not always informative!
| 13 The Early Analysis ¤ Brute force investigation ¤ Contact IP sources of the "alarm" ¤ Proved difficult ¤ When there were responses, no significant systemic reason ¤ Many dynamic addresses, raising questions about known use cases (running a DNS server on a dynamic address?) ¤ Is the data clean? ¤ Doubt about the measurement accuracy ¤ Look for some systematic cause ¤ No identifiable fault in popular DNS code
| 14 Decision to Pause the Rollover ¤ September 2017, paused due to uncertainty ¤ No fault in the project plan or execution ¤ (Which would have made this easier to fix) ¤ Found that the plan's "backout/fallback" plans worked, no work was needed to enter the pause state ¤ ICANN has engaged the community for ways forward ¤ Proposed an updated plan, asked for public comment ¤ Open to external research on the issue ¤ We don't have all the data, we can't/shouldn't in some cases
| 15 Progress in the Last Month
| 16 More Graphs ¤ http://root-trust-anchor-reports.research.icann.org/ ¤ Graphs for each reporting root server ¤ Also a list of addresses that reported the KSK-2010 only ¤ For inspecting, tracking down the operators and hopefully fixing
| 17 Recognizing KSK-2017 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D"Root" ¤ The KSK-2017’s Key Tag (defined protocol parameter) is 20326 ¤ The Delegation Signer (DS) Resource Record for KSK-2017 is Note: liberties taken with formatting for presentation purposes
| 18 KSK-2017 in a DNSKEY Resource Record . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" ¤ The DNSKEY resource record is: Note: liberties taken with formatting for presentation purposes
| 19 Current "State of the System" ¤ Sunny, as in “sunny day scenario” (despite the pause) ¤ The KSK is changed under good conditions ¤ Slow and cautious approach ¤ Following the Automated Updates of DNSSEC Trust Anchors protocol (also known as "RFC 5011") ¤ Most appropriate point regarding "Automated Updates" ¤ Requires 30 days to adopt the new key, but the "required 30 days" has long since past
| 20 Rollover Process (Validator view) ¤ Assumes DNSSEC is operating/configured to run ¤ The KSK rollover following the Automated Updates process ¤ But the original add hold down time has expired ¤ (All) validators SHOULD ALREADY list the new KSK as trusted ¤ Whether automatically updated or manually added ¤ If KSK-2017 is not there now, manual updating is needed ¤ Questions: How can one tell? How does one fix?
| 21 How To See Whether a DNS Cache Validates? ¤ Send query for "dnssec-failed.org A" with DNSSEC "OK" ¤ If the response holds a return code of SERVFAIL, DNSSEC validation is enabled ¤ If the response holds an IPv4 address, DNSSEC validation is not enabled
| 22 Testing for DNSSEC $ dig @$server dnssec-failed.org a +dnssec ; <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org a +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10492 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 756 msec ;; SERVER: 10.47.11.34#53(10.47.11.34) ;; WHEN: Tue Sep 5 19:04:04 2017 ;; MSG SIZE rcvd: 46
| 23 Testing for DNSSEC $ dig @$server dnssec-failed.org a +dnssec ; <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org a +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5832 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 ;; Query time: 76 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Sep 5 18:58:57 2017 ;; MSG SIZE rcvd: 62
| 24 How To See Whether KSK-2017 is Trusted? ¤ Tool Dependent ¤https://www.icann.org/dns-resolvers-checking- current-trust-anchors
| 25 What Should Be Seen ¤ Two listed trust anchors for the root zone ¤ KSK-2017, key-id 20326 ¤ If you don't see this, the validator will fail beginning about October 11 ¤ KSK-2010, key-id 19036 ¤ If you don't see this, the validator is not working now! ¤ Eventually KSK-2010 will "go away" - but not just yet
| 26 E.g., BIND bind-9.9.5-testconfig $ rndc -c rndc.conf secroots bind-9.9.5-testconfig $ cat named.secroots 05-Sep-2017 09:24:06.361 Start view _default ./RSASHA256/20326 ; managed ./RSASHA256/19036 ; managed KSK-2010, aka 19036 KSK-2017, aka 20326
| 27 E.g., unbound unbound $ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1504239596 ;;Fri Sep 1 00:19:56 2017 ;;last_success: 1504239596 ;;Fri Sep 1 00:19:56 2017 ;;next_probe_time: 1504281134 ;;Fri Sep 1 11:52:14 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5e mLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1 uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502438004 ;;Fri Aug 11 03:53:24 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqB GCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoB Qzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1459820836 ;;Mon Apr 4 21:47:16 2016 KSK-2010, aka 19036 KSK-2017, aka 20326 Both are VALID
| 28 What if KSK-2017 is not trusted? ¤ Again, tool dependent ¤https://www.icann.org/dns-resolvers-updating-latest- trust-anchor
| 29 Symptoms of the Wrong Trust Anchor ¤ DNSSEC validation fails for everything, resulting from an inability to build a chain of trust ¤ All DNS responses will "SERVFAIL" ¤ Even if the target zone is not DNSSEC signed ¤ Look in logs for validation failures, implementation specific
| 30 Where to Get KSK-2017 Manually ¤ Via the official IANA trust anchor XML file at https://data.iana.org/root-anchors/root-anchors.xml ¤ Via DNS (i.e., ask a root server for “./IN/DNSKEY”) ¤ Most software/OS distributions of DNSSEC ¤ When tech refreshing code, double-check configurations ¤ Compare with the key from these slides ¤ Obtain a copy from another operator, or other trusted source ¤ How well do you trust "them"?
| 31 The Future ¤ Revocation of KSK-2010 in 2018 the future ¤ Automated Updates will be used ¤ There will be more KSK rollovers ¤ When, we don't know (yet) ¤ What to do – consider and configure Automated Updates capabilities ¤ Whether it fits operational architectures
| 32 Tools and Resources Provided by ICANN ¤ A python-language script to retrieve KSK-2010 and KSK-2017 https://github.com/iana-org/get-trust-anchor ¤ An Automated Updates testbed for production (test) servers ¤ https://automated-ksk-test.research.icann.org ¤ Documentation ¤ https://www.icann.org/resources/pages/ksk-rollover ¤ plus what was mentioned earlier
| 33 A Final Word ¤ To anyone operating a DNSSEC validating recursive server ¤ Prepare now! Do not wait any longer! Act now! ¤ Automated Updates will not have enough time (Sept 2018) ¤ Update code, configurations (how-to is tool dependent) ¤ The formal, final decision to resume the rollover hasn't been made ¤ But there is no operational risk in being prepared ¤ Concerns fade when there is no evidence of unprepared systems
| 34 Engage with ICANN Join the ksk-rollover@icann.org mailing list Archives: https://mm.icann.org/listinfo/ksk-rollover KSK-Roll Website: https://www.icann.org/kskroll Thank You and Questions xzzzzz z flickr.com/icann linkedin/company/icann @icann | Follow #KeyRoll facebook.com/icannorg youtube.com/icannnews soundcloud/icann slideshare/icannpresentations

Recommended

2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at PennShumon Huque
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 

Recommended

2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018Internet Week 2018: APNIC Reverse DNS service outage report: May 2018
Internet Week 2018: APNIC Reverse DNS service outage report: May 2018APNIC
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at PennShumon Huque
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasJean-Baptiste Trystram
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labDeploy360 Programme (Internet Society)
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Bangladesh Network Operators Group
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXNGINX, Inc.
 
341 Pdfsam
341 Pdfsam341 Pdfsam
341 PdfsamEmanuel Mateus
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24Mîrzac Iulian
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATSKubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATSwallyqs
 
Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSwallyqs
 
[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of Branching[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of BranchingPerforce
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSwallyqs
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollAPNIC
 

More Related Content

What's hot

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXNGINX, Inc.
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusNGINX, Inc.
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24Mîrzac Iulian
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATSKubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATSwallyqs
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINXNGINX, Inc.
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSwallyqs
 
[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of Branching[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of BranchingPerforce
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSwallyqs
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoNick Sullivan
 

What's hot (20)

DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
Delivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINXDelivering High Performance Websites with NGINX
Delivering High Performance Websites with NGINX
 
341 Pdfsam
341 Pdfsam341 Pdfsam
341 Pdfsam
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Rate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX PlusRate Limiting with NGINX and NGINX Plus
Rate Limiting with NGINX and NGINX Plus
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
Uptime Magazine Online IT&C de Black Friday 2013.11.18 - 2013.11.24
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020
 
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATSKubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
KubeCon NA 2018 - NATS Deep Dive: The Evolution of NATS
 
Cyber-security
Cyber-securityCyber-security
Cyber-security
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 
GoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATSGoSF: Decoupling Services from IP networks with NATS
GoSF: Decoupling Services from IP networks with NATS
 
[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of Branching[Perforce] Tasks - The Holy Hand Grenade of Branching
[Perforce] Tasks - The Holy Hand Grenade of Branching
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
OSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATSOSCON: Building Cloud Native Apps with NATS
OSCON: Building Cloud Native Apps with NATS
 
What's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham GoWhat's New in Go Crypto - Gotham Go
What's New in Go Crypto - Gotham Go
 

Similar to The New Root Zone DNSSEC KSK

RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollAPNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slideskj teoh
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Michael Brown
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
How Cloudflare analyzes -1m dns queries per second @ Percona E17
How Cloudflare analyzes -1m dns queries per second @ Percona E17How Cloudflare analyzes -1m dns queries per second @ Percona E17
How Cloudflare analyzes -1m dns queries per second @ Percona E17Tom Arnfeld
 

Similar to The New Root Zone DNSSEC KSK (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
RIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK RollRIPE 78: A review of the KSK Roll
RIPE 78: A review of the KSK Roll
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing Key
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
RP11_XaviertTorrentGorjon
RP11_XaviertTorrentGorjonRP11_XaviertTorrentGorjon
RP11_XaviertTorrentGorjon
 
ION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSECION Hangzhou - How to Deploy DNSSEC
ION Hangzhou - How to Deploy DNSSEC
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2Automating Your Clone in E-Business Suite R12.2
Automating Your Clone in E-Business Suite R12.2
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
How Cloudflare analyzes -1m dns queries per second @ Percona E17
How Cloudflare analyzes -1m dns queries per second @ Percona E17How Cloudflare analyzes -1m dns queries per second @ Percona E17
How Cloudflare analyzes -1m dns queries per second @ Percona E17
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 

More from APNIC

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 

More from APNIC (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 

Recently uploaded

Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 

Recently uploaded (20)

Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 

The New Root Zone DNSSEC KSK

  • 1. 2017 DSSEC KSK Rollover Edward.Lewis@icann.org | FIRST TC | September 11, 2017 Current State of the Root Zone DNSSEC Keyroll Edward Lewis APNIC 46 12 September 2018
  • 2. | 2 The Basics ¤ This talk is related to the Domain Name System, in particular, the security extensions made to it ¤ DNSSEC – DNS Security Extensions ¤ The addition of digital signatures to data, using a hierarchy of asymmetric cryptographic keys to achieve massive scale ¤ Signing – generate signatures ¤ Validation – checking signatures ¤ Two of the cryptographic roles defined for keys ¤ Key Signing Key – a key that signs a bundle of other keys ¤ Zone Signing Key – a key that is used to sign data
  • 3. | 3 The Root Zone DNSSEC KSK DATA ¤ The Root Zone DNSSEC KSK is the top most cryptographic key in the DNSSEC validation hierarchy ¤ Public portion of the KSK is a configuration parameter in DNS validating revolvers KSK
  • 4. | 4 Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017
  • 5. | 5 Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC KSK ¤ Called "KSK-2010" ¤ Since 2010, nothing before that ¤ A new KSK will be put into production later this year ¤ Call it "KSK-2017" ¤ An orderly succession for continued smooth operations ¤ Operators of DNSSEC recursive servers may have some work ¤ As little as review configurations ¤ As much as install KSK-2017 Not a Typo A result of a "delay"
  • 6. | 6 The Approach to the KSK Rollover ¤ The rollover process emerged from plans developed in 2015 ¤ Automated Updates of DNSSEC Trust Anchors ¤ RFC-Editor STD 74, also known as RFC 5011 ¤ Recommendations are for operators to rely on "RFC 5011" ¤ Some crucial milestones have already passed ¤ We are still adhering to it for the final phases ¤ In the future, we will likely rely on it again
  • 7. | 7 Important Milestones Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication February 2, 2017, onwards Automated Updates Publication July 11, 2017, onwards Sign (Production Use) October 11, 2017, onwards Revoke KSK-2010 January 11, 2018 Remove KSK-2010 Dates TBD, 2018
  • 8. | 8 Important Milestones - Updated Event Date Creation of KSK-2017 October 27, 2016 Production Qualified February 2, 2017 Out-of-DNS-band Publication February 2, 2017, onwards Automated Updates Publication July 11, 2017, onwards Sign (Production Use) October 11, 2018, tentative Revoke KSK-2010 TBD Remove KSK-2010 TBD
  • 9. | 9 Why the Updated Milestones? ¤ When the rollover started there was no way to measure resolver configurations ¤ During the project, a new measure was invented, implemented and rolled out ¤ The new measure's results were at best confusing and concerning ¤ So the rollover was paused to have a look
  • 10. | 10 The Measure ¤ A readiness measure invented in the IETF ¤ Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC), aka RFC 8145 ¤ Quickly turned into code ¤ Combined with a noticeable "tech refresh"
  • 11. | 11 A Quick Look at Data
  • 12. | 12 A Longer Look at The Data ¤ Verisign researcher, looking at two root servers ¤ Noticed that the number of DNSSEC Validators having only the KSK-2010 was uncomfortably high (7%) ¤ Results confirmed by separate ICANN research ¤ Feed of data from nearly all of the root servers ¤ Rates of "only KSK-2010" seemed to rise over time or as more reporters came on-line ¤ But data is not always informative!
  • 13. | 13 The Early Analysis ¤ Brute force investigation ¤ Contact IP sources of the "alarm" ¤ Proved difficult ¤ When there were responses, no significant systemic reason ¤ Many dynamic addresses, raising questions about known use cases (running a DNS server on a dynamic address?) ¤ Is the data clean? ¤ Doubt about the measurement accuracy ¤ Look for some systematic cause ¤ No identifiable fault in popular DNS code
  • 14. | 14 Decision to Pause the Rollover ¤ September 2017, paused due to uncertainty ¤ No fault in the project plan or execution ¤ (Which would have made this easier to fix) ¤ Found that the plan's "backout/fallback" plans worked, no work was needed to enter the pause state ¤ ICANN has engaged the community for ways forward ¤ Proposed an updated plan, asked for public comment ¤ Open to external research on the issue ¤ We don't have all the data, we can't/shouldn't in some cases
  • 15. | 15 Progress in the Last Month
  • 16. | 16 More Graphs ¤ http://root-trust-anchor-reports.research.icann.org/ ¤ Graphs for each reporting root server ¤ Also a list of addresses that reported the KSK-2010 only ¤ For inspecting, tracking down the operators and hopefully fixing
  • 17. | 17 Recognizing KSK-2017 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D084 58E880409BBC683457104237C7F8EC8D"Root" ¤ The KSK-2017’s Key Tag (defined protocol parameter) is 20326 ¤ The Delegation Signer (DS) Resource Record for KSK-2017 is Note: liberties taken with formatting for presentation purposes
  • 18. | 18 KSK-2017 in a DNSKEY Resource Record . IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= "Root" ¤ The DNSKEY resource record is: Note: liberties taken with formatting for presentation purposes
  • 19. | 19 Current "State of the System" ¤ Sunny, as in “sunny day scenario” (despite the pause) ¤ The KSK is changed under good conditions ¤ Slow and cautious approach ¤ Following the Automated Updates of DNSSEC Trust Anchors protocol (also known as "RFC 5011") ¤ Most appropriate point regarding "Automated Updates" ¤ Requires 30 days to adopt the new key, but the "required 30 days" has long since past
  • 20. | 20 Rollover Process (Validator view) ¤ Assumes DNSSEC is operating/configured to run ¤ The KSK rollover following the Automated Updates process ¤ But the original add hold down time has expired ¤ (All) validators SHOULD ALREADY list the new KSK as trusted ¤ Whether automatically updated or manually added ¤ If KSK-2017 is not there now, manual updating is needed ¤ Questions: How can one tell? How does one fix?
  • 21. | 21 How To See Whether a DNS Cache Validates? ¤ Send query for "dnssec-failed.org A" with DNSSEC "OK" ¤ If the response holds a return code of SERVFAIL, DNSSEC validation is enabled ¤ If the response holds an IPv4 address, DNSSEC validation is not enabled
  • 22. | 22 Testing for DNSSEC $ dig @$server dnssec-failed.org a +dnssec ; <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org a +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10492 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; Query time: 756 msec ;; SERVER: 10.47.11.34#53(10.47.11.34) ;; WHEN: Tue Sep 5 19:04:04 2017 ;; MSG SIZE rcvd: 46
  • 23. | 23 Testing for DNSSEC $ dig @$server dnssec-failed.org a +dnssec ; <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org a +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5832 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;dnssec-failed.org. IN A ;; ANSWER SECTION: dnssec-failed.org. 7200 IN A 69.252.80.75 ;; Query time: 76 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Sep 5 18:58:57 2017 ;; MSG SIZE rcvd: 62
  • 24. | 24 How To See Whether KSK-2017 is Trusted? ¤ Tool Dependent ¤https://www.icann.org/dns-resolvers-checking- current-trust-anchors
  • 25. | 25 What Should Be Seen ¤ Two listed trust anchors for the root zone ¤ KSK-2017, key-id 20326 ¤ If you don't see this, the validator will fail beginning about October 11 ¤ KSK-2010, key-id 19036 ¤ If you don't see this, the validator is not working now! ¤ Eventually KSK-2010 will "go away" - but not just yet
  • 26. | 26 E.g., BIND bind-9.9.5-testconfig $ rndc -c rndc.conf secroots bind-9.9.5-testconfig $ cat named.secroots 05-Sep-2017 09:24:06.361 Start view _default ./RSASHA256/20326 ; managed ./RSASHA256/19036 ; managed KSK-2010, aka 19036 KSK-2017, aka 20326
  • 27. | 27 E.g., unbound unbound $ cat root.key ; autotrust trust anchor file ;;id: . 1 ;;last_queried: 1504239596 ;;Fri Sep 1 00:19:56 2017 ;;last_success: 1504239596 ;;Fri Sep 1 00:19:56 2017 ;;next_probe_time: 1504281134 ;;Fri Sep 1 11:52:14 2017 ;;query_failed: 0 ;;query_interval: 43200 ;;retry_time: 8640 . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5e mLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1 uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502438004 ;;Fri Aug 11 03:53:24 2017 . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqB GCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoB Qzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1459820836 ;;Mon Apr 4 21:47:16 2016 KSK-2010, aka 19036 KSK-2017, aka 20326 Both are VALID
  • 28. | 28 What if KSK-2017 is not trusted? ¤ Again, tool dependent ¤https://www.icann.org/dns-resolvers-updating-latest- trust-anchor
  • 29. | 29 Symptoms of the Wrong Trust Anchor ¤ DNSSEC validation fails for everything, resulting from an inability to build a chain of trust ¤ All DNS responses will "SERVFAIL" ¤ Even if the target zone is not DNSSEC signed ¤ Look in logs for validation failures, implementation specific
  • 30. | 30 Where to Get KSK-2017 Manually ¤ Via the official IANA trust anchor XML file at https://data.iana.org/root-anchors/root-anchors.xml ¤ Via DNS (i.e., ask a root server for “./IN/DNSKEY”) ¤ Most software/OS distributions of DNSSEC ¤ When tech refreshing code, double-check configurations ¤ Compare with the key from these slides ¤ Obtain a copy from another operator, or other trusted source ¤ How well do you trust "them"?
  • 31. | 31 The Future ¤ Revocation of KSK-2010 in 2018 the future ¤ Automated Updates will be used ¤ There will be more KSK rollovers ¤ When, we don't know (yet) ¤ What to do – consider and configure Automated Updates capabilities ¤ Whether it fits operational architectures
  • 32. | 32 Tools and Resources Provided by ICANN ¤ A python-language script to retrieve KSK-2010 and KSK-2017 https://github.com/iana-org/get-trust-anchor ¤ An Automated Updates testbed for production (test) servers ¤ https://automated-ksk-test.research.icann.org ¤ Documentation ¤ https://www.icann.org/resources/pages/ksk-rollover ¤ plus what was mentioned earlier
  • 33. | 33 A Final Word ¤ To anyone operating a DNSSEC validating recursive server ¤ Prepare now! Do not wait any longer! Act now! ¤ Automated Updates will not have enough time (Sept 2018) ¤ Update code, configurations (how-to is tool dependent) ¤ The formal, final decision to resume the rollover hasn't been made ¤ But there is no operational risk in being prepared ¤ Concerns fade when there is no evidence of unprepared systems
  • 34. | 34 Engage with ICANN Join the ksk-rollover@icann.org mailing list Archives: https://mm.icann.org/listinfo/ksk-rollover KSK-Roll Website: https://www.icann.org/kskroll Thank You and Questions xzzzzz z flickr.com/icann linkedin/company/icann @icann | Follow #KeyRoll facebook.com/icannorg youtube.com/icannnews soundcloud/icann slideshare/icannpresentations