DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26
Outline of presentation DNS operator change toolkit and analysis DNSSEC operations changes toolkit DNSSEC operator change implications Different paths for DNSSEC operator changes R2 + R3 implications Fitting to paths to different registries.
Ground rules: Respect DNS properties Creating DNS process that are universal – Only talk about DNS visible actions – Communication path to parent ignored – Communication with registrar ignored Only talk about DNS roles – Parent – Old and New Operator Once we understand DNS effects we can map additional communication and parties into the processes
Notation used Lower case: contents from old operator Upper case: contents from new operator kK: Key Signing Keys zZ: Zone Signing Keys nN: Nameserver sets dD: DS records pointing to k or K respectively rR: DNS data r(z) : Rrset signed by z, (from old operator)
Timing issues All waits are expressed as TTL of an RRset Actually the timer starts once the LAST name server for that operator reflects the change When a rule has a MAX that covers TTL’s from two operators (parent and child) the second parties TTL has the delay to perform the action added to the value We assume parent will perform actions before child for simplicity reasons but in some cases the order can be the order does not matter.
Simple DNS Operator Change: NOT TRUE O-1: New Operator sets up servers with zone contents O-2: Parent changes NS to point to new operator O-3: Old operator possible actions – O-3.1 Changes NS to new operator – O-3.2 Lowers TTL on NS – O-3.3 Turns off service – Combination O O.3.3 or O O.3.3 – O-3.4 Does nothing and keeps serving (BAD)
DNS Operator change: (cont) Path 1: Turn off O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child) BLUE: New Operator Red: Parent Green: Old Operator Orange: Time to wait as TTL of Rrset Simple arrow: Precedence
DNS Operator change: (cont) Path 2: Lower TTL O-1 Zone O -2 NS O-3.1 NS O-3.3 Stops Max(NS Par, NS Child) Child NS
DNS Operator change: (cont) Path 3: Changes NS set O-1 Zone O -2 NS O-3.3 Stops O-3.2 TTL Max(NS Par, NS Child) Child NS
DNS Operator change: (cont) Path 4: Continues Service O-1 Zone O -2 NS O-3.4 Keeps
DNS Operator change: (cont) All alternative paths O-1 Zone O -2 NS O-3.1 NS O-3.3 Stops O-3.2 TTL Max(NS Par, NS Child) Child NS O-3.4 Keeps Child NS
Effects of operator behavior on resolvers that know domain NameActionWhenaffected DisruptiveO-3.3< max( Parent NS TTL, Child NS TTL)All types of resolvers Big rippleO-3.3> Max( Parent NS TTL, Child NS TTL)Many Child sticky Small rippleO-3.2 After parent changes O-3.3> Max(Parent NS TTL, time of Child old NS TTL) Few child sticky Ripple freeO-3.1After parent changes O-3.3> Max(Parent NS TTL, time of Child old NS TTL) None DisjointO.3.4Some child sticky Child sticky resolver == Resolver that uses NS set from child AND extends TTL each time it sees a new copy of the NS set. (TTL stretching)
Predictable DNS operator change We need know/find out how the old operator will behave during the process – Cooperative: O O-3.3 or O O-3.3 – Minimally cooperative: O-3.3. upon request – Un-cooperative: O-3.4 or O-3.3 at random time
DNSSEC zone operations DNSSEC complicates life somewhat In following slides express the actions performed in each of following operations – Roll over Zone Signing Key (dual key) – Roll over Key Signing Key (single KSK, dual DS) – Turn on DNSSEC for a zone – Turn off DNSSEC for a zone DNSSEC operator change builds upon all these
DNSSEC in nutshell Trust chain – DS DNSKEY RRSIG – DS KSK ZSK RRSIG Referral chain – NSp, DS NSc, DNSKEY RR RRSIG NSp == NS set from parent NSc == NS set from child
Key rollover: Z-1..5 ZSK change z Z Actions – Z-1: Generate Z – Z-2: Add Z to DNSKEY RRset Wait > DNSKEY TTL – Z-3: Sign first RRset with Z – Z-4: Sign last RRset with Z Wait MAX TTL, largest TTL in the zone – Z-5: Remove z from DNSKEY set DK RR kz rz kzZ rz kzZ rz,rZ kzZ rZ kZ rz
KSK rollover: K-1..4 k K dual DS single KSK Actions – K-1: Generate K calculate D – K-2: Add D to DS in parent Wait DS TTL – K-3: Replace k with K in DNSKEY RRset and sign with K Wait Max(DS TTL, DNSKEY TTL) – K-4: Remove d from DS Chi Par kz d Kz dD KzZ dD Kz rZ Kz D
Going signed S-1..3 S-1: Set up keys – Z-1 + Z-2 – K-1 + K-3 Wait: Negative TTL for zone S-2: Sign zone – Z-3 + Z-4 Wait: MAX TTL in zone S-3: create Trust path/ Add DS – K-2 Chi RD Par kz r kz rz kz rz D
Going Unsigned: U-1..3 Actions – U-1: Remove DS from parent Wait: DS TTL + DNSKEY TTL – U-2: Remove signatures from zone Wait: MAX TTL in zone – U-3: Delete DNSKEY RRset. Chi RD Par kz rz d Kz rz - kz r - r
DNSSEC Paths for operator change 3 basic paths possible – Going Unsigned DNSSEC is turned off and will not be turned on again (Undesirable but dictated by new operator capabilities) – Intermediate unsigned step DNSSEC trust chain is broken during the change but DNSSEC will be turned on again after operator change – Ripple free DNSSEC validation works throughout the whole operator change process Ripple free is our goal, but the second one is needed when old operator is not cooperative.
Ripple Free DNSSEC preconditions Old operator – is DNSSEC capable – Is cooperative (O-3.3 upon request) Will do O-3.1 (or O-3.2) Will add Z to DNSKEY set Parent – Will accept DS for a key not in DNSKEY New operator – Is DNSSEC capable No sharing of keys
Signed Unsigned operator change Actions 1.New brings up zone – O-1 2.Parent deletes DS – U-1 3.Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS) 4.Old Phases out – O-3 5.Done OldParNew 0kz,n,rzD,n 1N,R 2n 3N 4X 5N
Going Unsigned operator change 1. DS del 2 New sets up 3 NS changed 4 NS change 5 Done DS +DNSKEY Max(cNS, pNS) Child NS 4 Old turns off
Signed -> Unsigned Signed operator change Actions 1.New brings up zone – O-1 2.Parent deletes DS – U-1 – Wait: DS + DNSKEY TTL 3.Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS) 4.Old Phases out – O-3 (O O-3.3 or O O-3.2) 5.Parent inserts DS K-4 6.Done OldParNew 0kz,n, rz d,n 1N,KZ, RZ 2n 3N 4X 5N,D 6 N,KZ, RZ
Signed -> Unsigned -> Signed operator change 1 Del DS 4a NS change 2 New zone 3 NS change 5 Add DS 6 Done DS + DNSKEY MA X TTL DS 4b Stops cNS MAX( cNS, pNS) cNS
Ripple Free operator change Actions 1.New brings up zone O-1, Z-1, Z-3, Z-4, K-1, K-3 2.Old add Z to DNSKEY Z-2 3.Parent adds D to DS K-2 4.Parent changes NS O-2 Wait: MAX(parent NS, old child NS) 5.Old Phases out O O Parent deletes d from DS K-4 7.New deletes z from DNSKEY Z-5 8.Done OldParNew 0kz,n,rzd,n 1N,KZz, RZ 2kzZ,n, rzn 3n,dD 4N,dD 5X 6N,D 7N,KZ, RZ 8N,DN,KZ,RZ
Ripple free DNSSEC operator change 1 New sets up 5.b Old Stops 2 Old adds Z 3 Parent adds D 6 delete d 4 NS change 7 delete z oDNSKEY DS MAX-TTL 8 Done oDNSKEY DS 5.a NS Change cNS Max(cNS, pNS) nDNSKEY
Shortest Time of paths DNS only operator change: A = max(cNS, pNS) Going Unsigned: B = A + DS + DNSKEY Broken trust chain C = DS + DNSKEY + max(A + cNS, MAX-TTL) Ripple Free: D = B + max(Max-TTL+ oDNSKEY, DS+ DNSKEY)