SlideShare ist ein Scribd-Unternehmen logo

Rootsign menog6-overview

Mehmet Akcin
Mehmet Akcin
1 von 34
Downloaden Sie, um offline zu lesen
DNSSEC for the Root Zone MENOG 6 Riyadh , Saudi Arabia April 2010 Mehmet Akcin, ICANN Thursday, April 8, 2010
This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Thursday, April 8, 2010
Roles and Responsibilities Thursday, April 8, 2010
ICANN IANA Functions Operator • Manages the Key Signing Key (KSK) • Accepts DS records from TLD operators • Verifies and processes request • Sends update requests to DoC for authorization and to VeriSign for implementation Thursday, April 8, 2010
DoC NTIA U.S. Department of Commerce National Telecommunications and Information Administration • Authorizes changes to the root zone ‣ DS records ‣ Key Signing Keys ‣ DNSSEC update requests follow the same process as other changes • Checks that ICANN has followed their agreed upon verification/processing policies and procedures Thursday, April 8, 2010
VeriSign Root Zone Maintainer • Manages the Zone Signing Key (ZSK) • Incorporates NTIA-authorized changes • Signs the root zone with the ZSK • Distributes the signed zone to the root server operators Thursday, April 8, 2010
DNS records sent from Verified data Authorized data Root Zone TLD operator to ICANN sent to DoC sent to VeriSign distributed to root servers ICANN VeriSign TLD Root RZM DoC Unsigned root Signer Signed root Servers Operator KSK published KSK ZSK ZSK sent from VeriSign to ICANN by ICANN Management Management Keyset is signed by KSK and sent back from ICANN to VeriSign Thursday, April 8, 2010
Deployment Thursday, April 8, 2010
Goals • Deploy a signed root zone ‣ Transparent processes ‣ Audited procedures ‣ DNSSEC deployment • validators, registries, registrars, name server operators • Communicate early and often! Thursday, April 8, 2010
Anticipated Issues Thursday, April 8, 2010
DO=1 • A significant proportion of DNS clients send queries with EDNS0 and DO=1 • Some (largely unquantified, but potentially significant) population of such clients are unable to receive large responses • Serving signed responses might break those clients Thursday, April 8, 2010
Rollback • If we sign the root, there will be some early validator deployment • There is the potential for some clients to break, perhaps badly enough that we need to un-sign the root (e.g., see previous slide) • Un-signing the root will break the DNS for validators Thursday, April 8, 2010
Staged Deployment Thursday, April 8, 2010
Deploy Incrementally • The goal is to leave the client population with some root servers not offering large responses until the impact of those large responses is better understood • Relies upon resolvers not always choosing a single server Thursday, April 8, 2010
DURZ • Deploy conservatively ‣ It is the root zone, after all • Prevent a community of validators from forming ‣ This allows us to unsign the root zone during the deployment phase (if we have) to without collateral damage Thursday, April 8, 2010
DURZ • “Deliberately Unvalidatable Root Zone” • Sign RRSets with keys that are not published in the zone (but with matching keytag…) • Publish keys in the zone which are not used, and which additionally contain advice for operators (see next slide) • Swap in actual signing keys (which enables validation) at the end of the deployment process Thursday, April 8, 2010
DURZ .       3600    IN     DNSKEY  257  3  5 (                        AwEAAa++++++++++++++++++++++++++++++                        ++THIS/KEY/AN/INVALID/KEY/AND/SHOULD                        /NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICA                        NN/DOT/ORG/FOR/MORE/INFORMATION+++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++/=                        ) ; Key ID = 6477 Thursday, April 8, 2010
Deploy Incrementally L Completed on 27 January A Completed on 10 February M, I Completed on 3 March D, K, E Completed March 22nd Being Completed this week. B, H, C, G, F “April 14th” J May 5th Thursday, April 8, 2010
Measurement • For those root servers that are instrumented, full packet captures and subsequent analysis around signing events • Ongoing dialogue with operator communities to assess real-world impact of changes Thursday, April 8, 2010
Testing • A prerequisite for this proposal is a captive test of the deployment ‣ Test widely-deployed resolvers, with validation enabled and disabled, against the DURZ ‣ Test with clients behind broken networks that drop large responses Thursday, April 8, 2010
Interaction with TLDs Thursday, April 8, 2010
DS Change Requests • Approach likely to be based on existing methods for TLD managers to request changes in root zone • Anticipate being able to accept DS requests 1-2 months before the validatable signed root zone is in production • Current topic of discussion within Root DNSSEC Design Team Thursday, April 8, 2010
Communication Thursday, April 8, 2010
Project Web Page • http://www.root-dnssec.org ‣ Status updates ‣ Documents ‣ Presentation Archive ‣ Small collection of links to relevant tools ‣ Contact information ‣ RSS Thursday, April 8, 2010
Communication with non-technical audiences • Will reach the non-technical and semi- technical audiences with press releases and other means. • PR departments with people who know how to do this will be engaged. Thursday, April 8, 2010
Communication with technical audiences • Reaching the technical audiences via mailing lists and other means ‣ IETF DNS lists (e.g. DNSOP) ‣ non-IETF DNS lists (e.g. DNS-OARC) ‣ General operator lists (e.g. MENOG) ‣ … Thursday, April 8, 2010
Draft Timeline • December 1, 2009 ‣ Root zone signed • Initially signed zone stays internal to ICANN and VeriSign ‣ ICANN and VeriSign begin KSR processing • ZSK and KSK rolls • January - July 2010 ‣ Incremental roll out of signed root • July 1, 2010 ‣ KSK rolled and trust anchor published ‣ Signed root fully deployed Thursday, April 8, 2010
Deployment Status 13 April 2010 Thursday, April 8, 2010
Documentation • Requirements document posted • High-Level Architecture, Policy and Practice Statements, Trust Anchor Publication, Deployment documents posted in draft form • Ceremony, KSK Facility Requirements, Testing documents expected to be posted soon http://www.root-dnssec.org Thursday, April 8, 2010
Testing • Data collection testing by Root Server Operators complete - have now done this for real • Several KSR/SKR exchanges complete • DURZ vs. Resolver testing complete Thursday, April 8, 2010
DURZ Roll-Out • L, A, M, I, D, K, and E root servers are running the DURZ • B C G F and H will complete the transition this week. • J will have DURZ on 5 May 2010 Thursday, April 8, 2010
Other zones ARPA is now signed Work on how to sign IN-ADDR.ARPA, IP6.ARPA is happening and reasonable progress is expected. Thursday, April 8, 2010
Thoughts? • Feedback is extremely welcome ‣ Email to rootsign@icann.org Thursday, April 8, 2010
Root DNSSEC Design Team Joe Abley Mehmet Akcin David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren Dave Knight Tomofumi Okubo Jakob Schlyter Duane Wessels Thursday, April 8, 2010

Empfohlen

Mobility Solutions for Novell GroupWise
Mobility Solutions for Novell GroupWiseMobility Solutions for Novell GroupWise
Mobility Solutions for Novell GroupWiseNovell
 
Steven Tuminelli Resume 2
Steven Tuminelli Resume 2Steven Tuminelli Resume 2
Steven Tuminelli Resume 2stuminelli
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2Novell
 
Running without a ZFS system pool
Running without a ZFS system poolRunning without a ZFS system pool
Running without a ZFS system poolBill Pijewski
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...Novell
 
A Rhett Williams Resume
A Rhett Williams ResumeA Rhett Williams Resume
A Rhett Williams ResumeRhett Williams
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsNovell
 
Terremark Backup Custom Storage Pre Press
Terremark Backup Custom Storage Pre PressTerremark Backup Custom Storage Pre Press
Terremark Backup Custom Storage Pre PressFrank Johnson
 

Empfohlen

Mobility Solutions for Novell GroupWise
Mobility Solutions for Novell GroupWiseMobility Solutions for Novell GroupWise
Mobility Solutions for Novell GroupWiseNovell
 
Steven Tuminelli Resume 2
Steven Tuminelli Resume 2Steven Tuminelli Resume 2
Steven Tuminelli Resume 2stuminelli
 
File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2File Access in Novell Open Enterprise Server 2 SP2
File Access in Novell Open Enterprise Server 2 SP2Novell
 
Running without a ZFS system pool
Running without a ZFS system poolRunning without a ZFS system pool
Running without a ZFS system poolBill Pijewski
 
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...
NSS File System Performance, Clustering and Auditing in Novell Open Enterpris...Novell
 
A Rhett Williams Resume
A Rhett Williams ResumeA Rhett Williams Resume
A Rhett Williams ResumeRhett Williams
 
Using Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsUsing Novell Sentinel Log Manager to Monitor Novell Applications
Using Novell Sentinel Log Manager to Monitor Novell ApplicationsNovell
 
Terremark Backup Custom Storage Pre Press
Terremark Backup Custom Storage Pre PressTerremark Backup Custom Storage Pre Press
Terremark Backup Custom Storage Pre PressFrank Johnson
 
Dnssec root-lacnog
Dnssec root-lacnogDnssec root-lacnog
Dnssec root-lacnogMehmet Akcin
 
MENOG6 Root Signing
MENOG6 Root SigningMENOG6 Root Signing
MENOG6 Root SigningMehmet Akcin
 
Signing the Root
Signing the RootSigning the Root
Signing the RootMehmet Akcin
 
PHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-AnsätzePHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-AnsätzeRalf Lütke
 
Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2ccole-bennett
 
Institutions to close
Institutions to closeInstitutions to close
Institutions to closeArihantEducation
 
сэргээш
сэргээшсэргээш
сэргээшn.ochiko
 
Photo caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_huPhoto caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_husinghabizcourse
 
Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?ron.blaisdell
 
DNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT ZoneDNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT ZoneMehmet Akcin
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Internet Society
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Deploy360 Programme (Internet Society)
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECDeploy360 Programme (Internet Society)
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyDeploy360 Programme (Internet Society)
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 

Weitere ähnliche Inhalte

Andere mochten auch

Dnssec root-lacnog
Dnssec root-lacnogDnssec root-lacnog
Dnssec root-lacnogMehmet Akcin
 
MENOG6 Root Signing
MENOG6 Root SigningMENOG6 Root Signing
MENOG6 Root SigningMehmet Akcin
 
PHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-AnsätzePHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-AnsätzeRalf Lütke
 
Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2ccole-bennett
 
сэргээш
сэргээшсэргээш
сэргээшn.ochiko
 
Photo caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_huPhoto caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_husinghabizcourse
 
Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?ron.blaisdell
 
DNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT ZoneDNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT ZoneMehmet Akcin
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 

Andere mochten auch (11)

Dnssec root-lacnog
Dnssec root-lacnogDnssec root-lacnog
Dnssec root-lacnog
 
MENOG6 Root Signing
MENOG6 Root SigningMENOG6 Root Signing
MENOG6 Root Signing
 
Signing the Root
Signing the RootSigning the Root
Signing the Root
 
PHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-AnsätzePHP-Module in statischen Seiten - Architektur-Ansätze
PHP-Module in statischen Seiten - Architektur-Ansätze
 
Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2Aserl cfdp 2011 11_2
Aserl cfdp 2011 11_2
 
Institutions to close
Institutions to closeInstitutions to close
Institutions to close
 
сэргээш
сэргээшсэргээш
сэргээш
 
Photo caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_huPhoto caption sbc3_rs_week2_ku_hu
Photo caption sbc3_rs_week2_ku_hu
 
Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?Hey Mason – Have you met Dixon?
Hey Mason – Have you met Dixon?
 
DNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT ZoneDNSSEC Deployment at ROOT Zone
DNSSEC Deployment at ROOT Zone
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 

Ähnlich wie Rootsign menog6-overview

DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedNeustar, Inc.
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Internet Society
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)Deploy360 Programme (Internet Society)
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnErol Dizdar
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-enguest3131f85
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyNovell
 
Advanced DNS/DHCP for Novell eDirectory Environments
Advanced DNS/DHCP for Novell eDirectory EnvironmentsAdvanced DNS/DHCP for Novell eDirectory Environments
Advanced DNS/DHCP for Novell eDirectory EnvironmentsNovell
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxAns Sembiring
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5 Networks
 
Shared Oracle Hosting (Linux)
Shared Oracle Hosting (Linux)Shared Oracle Hosting (Linux)
Shared Oracle Hosting (Linux)webhostingguy
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]APNIC
 

Ähnlich wie Rootsign menog6-overview (20)

DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons LearnedFOSE 2011: DNSSEC and the Government, Lessons Learned
FOSE 2011: DNSSEC and the Government, Lessons Learned
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
DNSSEC: How to deploy it, and why you should bother (ION Toronto 2011)
 
Dnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 EnDnssec Proposal 09oct08 En
Dnssec Proposal 09oct08 En
 
Dnssec proposal-09oct08-en
Dnssec proposal-09oct08-enDnssec proposal-09oct08-en
Dnssec proposal-09oct08-en
 
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSECION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
ION Mumbai - Shailesh Gupta: Business Case for IPv6 and DNSSEC
 
ION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case StudyION Toronto - Deploying DNSSEC: A .CA Case Study
ION Toronto - Deploying DNSSEC: A .CA Case Study
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made EasyLessons Learned: Novell Open Enterprise Server Upgrades Made Easy
Lessons Learned: Novell Open Enterprise Server Upgrades Made Easy
 
Advanced DNS/DHCP for Novell eDirectory Environments
Advanced DNS/DHCP for Novell eDirectory EnvironmentsAdvanced DNS/DHCP for Novell eDirectory Environments
Advanced DNS/DHCP for Novell eDirectory Environments
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Whalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptxWhalebone-UKNOF44security992_new_impl.pptx
Whalebone-UKNOF44security992_new_impl.pptx
 
F5's Dynamic DNS Services
F5's Dynamic DNS ServicesF5's Dynamic DNS Services
F5's Dynamic DNS Services
 
ICANN & IANA
ICANN & IANAICANN & IANA
ICANN & IANA
 
Shared Oracle Hosting (Linux)
Shared Oracle Hosting (Linux)Shared Oracle Hosting (Linux)
Shared Oracle Hosting (Linux)
 
ION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSECION Mumbai - Jitender Kumar: DNSSEC
ION Mumbai - Jitender Kumar: DNSSEC
 
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
Verisign's Regional Internet Resolution Service by Ryan Donnelly [APRICOT 2015]
 

Rootsign menog6-overview

  • 1. DNSSEC for the Root Zone MENOG 6 Riyadh , Saudi Arabia April 2010 Mehmet Akcin, ICANN Thursday, April 8, 2010
  • 2. This design is the result of a cooperation between ICANN & VeriSign with support from the U.S. DoC NTIA Thursday, April 8, 2010
  • 3. Roles and Responsibilities Thursday, April 8, 2010
  • 4. ICANN IANA Functions Operator • Manages the Key Signing Key (KSK) • Accepts DS records from TLD operators • Verifies and processes request • Sends update requests to DoC for authorization and to VeriSign for implementation Thursday, April 8, 2010
  • 5. DoC NTIA U.S. Department of Commerce National Telecommunications and Information Administration • Authorizes changes to the root zone ‣ DS records ‣ Key Signing Keys ‣ DNSSEC update requests follow the same process as other changes • Checks that ICANN has followed their agreed upon verification/processing policies and procedures Thursday, April 8, 2010
  • 6. VeriSign Root Zone Maintainer • Manages the Zone Signing Key (ZSK) • Incorporates NTIA-authorized changes • Signs the root zone with the ZSK • Distributes the signed zone to the root server operators Thursday, April 8, 2010
  • 7. DNS records sent from Verified data Authorized data Root Zone TLD operator to ICANN sent to DoC sent to VeriSign distributed to root servers ICANN VeriSign TLD Root RZM DoC Unsigned root Signer Signed root Servers Operator KSK published KSK ZSK ZSK sent from VeriSign to ICANN by ICANN Management Management Keyset is signed by KSK and sent back from ICANN to VeriSign Thursday, April 8, 2010
  • 9. Goals • Deploy a signed root zone ‣ Transparent processes ‣ Audited procedures ‣ DNSSEC deployment • validators, registries, registrars, name server operators • Communicate early and often! Thursday, April 8, 2010
  • 11. DO=1 • A significant proportion of DNS clients send queries with EDNS0 and DO=1 • Some (largely unquantified, but potentially significant) population of such clients are unable to receive large responses • Serving signed responses might break those clients Thursday, April 8, 2010
  • 12. Rollback • If we sign the root, there will be some early validator deployment • There is the potential for some clients to break, perhaps badly enough that we need to un-sign the root (e.g., see previous slide) • Un-signing the root will break the DNS for validators Thursday, April 8, 2010
  • 14. Deploy Incrementally • The goal is to leave the client population with some root servers not offering large responses until the impact of those large responses is better understood • Relies upon resolvers not always choosing a single server Thursday, April 8, 2010
  • 15. DURZ • Deploy conservatively ‣ It is the root zone, after all • Prevent a community of validators from forming ‣ This allows us to unsign the root zone during the deployment phase (if we have) to without collateral damage Thursday, April 8, 2010
  • 16. DURZ • “Deliberately Unvalidatable Root Zone” • Sign RRSets with keys that are not published in the zone (but with matching keytag…) • Publish keys in the zone which are not used, and which additionally contain advice for operators (see next slide) • Swap in actual signing keys (which enables validation) at the end of the deployment process Thursday, April 8, 2010
  • 17. DURZ .       3600    IN     DNSKEY  257  3  5 (                        AwEAAa++++++++++++++++++++++++++++++                        ++THIS/KEY/AN/INVALID/KEY/AND/SHOULD                        /NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICA                        NN/DOT/ORG/FOR/MORE/INFORMATION+++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++++++++++++++++                        ++++++++++++++++++++++/=                        ) ; Key ID = 6477 Thursday, April 8, 2010
  • 18. Deploy Incrementally L Completed on 27 January A Completed on 10 February M, I Completed on 3 March D, K, E Completed March 22nd Being Completed this week. B, H, C, G, F “April 14th” J May 5th Thursday, April 8, 2010
  • 19. Measurement • For those root servers that are instrumented, full packet captures and subsequent analysis around signing events • Ongoing dialogue with operator communities to assess real-world impact of changes Thursday, April 8, 2010
  • 20. Testing • A prerequisite for this proposal is a captive test of the deployment ‣ Test widely-deployed resolvers, with validation enabled and disabled, against the DURZ ‣ Test with clients behind broken networks that drop large responses Thursday, April 8, 2010
  • 22. DS Change Requests • Approach likely to be based on existing methods for TLD managers to request changes in root zone • Anticipate being able to accept DS requests 1-2 months before the validatable signed root zone is in production • Current topic of discussion within Root DNSSEC Design Team Thursday, April 8, 2010
  • 24. Project Web Page • http://www.root-dnssec.org ‣ Status updates ‣ Documents ‣ Presentation Archive ‣ Small collection of links to relevant tools ‣ Contact information ‣ RSS Thursday, April 8, 2010
  • 25. Communication with non-technical audiences • Will reach the non-technical and semi- technical audiences with press releases and other means. • PR departments with people who know how to do this will be engaged. Thursday, April 8, 2010
  • 26. Communication with technical audiences • Reaching the technical audiences via mailing lists and other means ‣ IETF DNS lists (e.g. DNSOP) ‣ non-IETF DNS lists (e.g. DNS-OARC) ‣ General operator lists (e.g. MENOG) ‣ … Thursday, April 8, 2010
  • 27. Draft Timeline • December 1, 2009 ‣ Root zone signed • Initially signed zone stays internal to ICANN and VeriSign ‣ ICANN and VeriSign begin KSR processing • ZSK and KSK rolls • January - July 2010 ‣ Incremental roll out of signed root • July 1, 2010 ‣ KSK rolled and trust anchor published ‣ Signed root fully deployed Thursday, April 8, 2010
  • 28. Deployment Status 13 April 2010 Thursday, April 8, 2010
  • 29. Documentation • Requirements document posted • High-Level Architecture, Policy and Practice Statements, Trust Anchor Publication, Deployment documents posted in draft form • Ceremony, KSK Facility Requirements, Testing documents expected to be posted soon http://www.root-dnssec.org Thursday, April 8, 2010
  • 30. Testing • Data collection testing by Root Server Operators complete - have now done this for real • Several KSR/SKR exchanges complete • DURZ vs. Resolver testing complete Thursday, April 8, 2010
  • 31. DURZ Roll-Out • L, A, M, I, D, K, and E root servers are running the DURZ • B C G F and H will complete the transition this week. • J will have DURZ on 5 May 2010 Thursday, April 8, 2010
  • 32. Other zones ARPA is now signed Work on how to sign IN-ADDR.ARPA, IP6.ARPA is happening and reasonable progress is expected. Thursday, April 8, 2010
  • 33. Thoughts? • Feedback is extremely welcome ‣ Email to rootsign@icann.org Thursday, April 8, 2010
  • 34. Root DNSSEC Design Team Joe Abley Mehmet Akcin David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren Dave Knight Tomofumi Okubo Jakob Schlyter Duane Wessels Thursday, April 8, 2010