Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS operator transfers with DNSSEC

Published by언정 야 Modified over 5 years ago

Similar presentations

Presentation on theme: "DNS operator transfers with DNSSEC"— Presentation transcript:

1 DNS operator transfers with DNSSEC
Olafur Gudmundsson Andrew Sullivan DNSSEC Transfer at OARC 4/9/2019

2 DNSSEC Transfer at OARC
What is the problem? We are only talking about transferring DNS service, no other services. We wanted to describe to a domain name registrar how to transfer a DNSSEC signed domain with no outage !! We failed In every case there was a possible failure situation Go back to drawing board try to figure out a process where the goal will be satisfied. DNSSEC Transfer at OARC 4/9/2019

3 DNSSEC Transfer at OARC
Notation O = observer i.e. DNS resolver L = loosing DNS operator G = gaining DNS operator P = Parent or Registry Nl = NS set from L (before transfer) Ng = NS set from G (after transfer) Lk, Lz, = Ksk and Zsk for L Gk, Gz = Ksk and Zsk for G Kl = DNSKEY set from L Kg = DNSKEY set from G DNSSEC Transfer at OARC 4/9/2019

4 DNS transfer general case
Ng Final L P G O Nl Before Nl Ng Xfer req Nl Ng Nl or Ng Right after Xfer Some resolvers are sticky as where to ask for information on the zone. Caches that do TTL stretching and ask zone frequently enough for NS set never to time out. Unless L stops serving zone resolvers may take real long time to discover new set of nameservers. How long is sticky  one TTL after L stops serving is when we can be sure DNSSEC Transfer at OARC 4/9/2019

5 R3: Registrar, Registrant, Registry complications
ICANN current transfer policy allows for uncooperative participants. Timing of actions can not be predicted. L can accept, ignore or contest transfer request. No requirement that L stop serving up zone after transfer G can not send Ng to L via registry G can try to change contents of registry to Ng before transfer via owners account DNSSEC Transfer at OARC 4/9/2019

6 DNSSEC Transfer at OARC
DNSSEC transfers Assumptions: Domain is signed, by L L has both KSK and ZSK private keys and will not share them with G. G will sign the zone with different set of keys. G will list L’s keys L will be minimally cooperative Complication: for some time validators may have data from the zone some signed by L and some signed by G due to TTL’s. We do not want validation failures DNSSEC Transfer at OARC 4/9/2019

7 DNSSEC validation error possibilities
Before switch: Parent must list DS for both L and G’s or validation will fail. New DS must be given time to propagate before NS is changed. When parent switches referral from L to G caches: Cache ignorant of the zone is not affected Cache has Kl and learns Ng. Verification may fail until Kl times out DNSSEC Transfer at OARC 4/9/2019

8 Solution: additional steps
Credit: Antoin Verschuren proposed this general approach Step 1: L and G include both of sets of ZSK keys in their DNSKEY RRset. Kl (L DNSKEY) = Lk, Lz, Gz Kg (G DNSKEY) = Gk, Lz, Gz Step 2: Parent adds Gk to DS, listing both Lk and Gk Step 3: (actual transfer) (wait at least 1 DS TTL) Parent updates NS from Nl to Ng Step 4: L stops serving zone Step 5: (wait at least 1 Kl TTL) Parent removes DS corresponding to Lk Step 6: (wait at least MAX TTL for L zone from step 4) G removes Lz from its DNSKEY RRset Kg = Gk, Gz DNSSEC Transfer at OARC 4/9/2019

9 DNSSEC Transfer at OARC
Complications “Requires” L to cooperate in the transfer If both L and G are under contract with owner  not a problem. Registry is natural conduit for Gz to L Publication of Gz key by L is acceptance of transfer EPP protocol needs to be updated for this to happen, L needs to keep serving the zone for a while after agreeing to transfer Registry accepts Gk from G and after transfer request is accepted adds that to DS. Additional data in transfer request: Gz. L needs to stop serving the zone when told by the registry. Agreements specifying transfers need to be updated.  Tools and processes need to be updated. DNSSEC Transfer at OARC 4/9/2019

10 DNSSEC Transfer at OARC
Discussion DNSSEC Transfer at OARC 4/9/2019

Download ppt "DNS operator transfers with DNSSEC"

Similar presentations

© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker 2012 Oct.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
.| The Trusted Channel Centric Marketplace Domain Name Transfers & Domain Delegation.

.| The Trusted Channel Centric Marketplace Domain Name Transfers & Domain Delegation.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
DNS Registries. Overview What is a DNS registry? –DNS registries –Data In –Data Out –Transactions Registry Structure –Registry –Registrars –Registrants.

DNS Registries. Overview What is a DNS registry? –DNS registries –Data In –Data Out –Transactions Registry Structure –Registry –Registrars –Registrants.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
DNSSEC deployment in NZ Andy Linton

DNSSEC deployment in NZ Andy Linton
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
AU, March 2, 20061 DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.
Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.

Happy Eyeballs for the DNS Geoff Huston, George Michaelson APNIC Labs October 2015.
Olaf M. Kolkman. IETF58, Minneapolis, November 2003. DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.

Olaf M. Kolkman. IETF58, Minneapolis, November DNSSEC Operational Practices draft-ietf-dnsop-dnssec-operational-practices-00.txt.
Ch 6: DNSSEC and Beyond Updated 4-28-15. DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc. 7075 Samuel Morse Dr. Columbia MD 21046 Ph: 410.872.1515

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Similar presentations

Ads by Google