Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Published byFlorence Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26."— Presentation transcript:

1 DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

2 Outline of presentation DNS operator change toolkit and analysis DNSSEC operations changes toolkit DNSSEC operator change implications Different paths for DNSSEC operator changes R2 + R3 implications Fitting to paths to different registries.

3 Ground rules: Respect DNS properties Creating DNS process that are universal – Only talk about DNS visible actions – Communication path to parent ignored – Communication with registrar ignored Only talk about DNS roles – Parent – Old and New Operator Once we understand DNS effects we can map additional communication and parties into the processes

4 Notation used Lower case: contents from old operator Upper case: contents from new operator kK: Key Signing Keys zZ: Zone Signing Keys nN: Nameserver sets dD: DS records pointing to k or K respectively rR: DNS data r(z) : Rrset signed by z, (from old operator)

5 Timing issues All waits are expressed as TTL of an RRset  Actually the timer starts once the LAST name server for that operator reflects the change  When a rule has a MAX that covers TTL’s from two operators (parent and child) the second parties TTL has the delay to perform the action added to the value  We assume parent will perform actions before child for simplicity reasons but in some cases the order can be the order does not matter.

6 Simple DNS Operator Change: NOT TRUE O-1: New Operator sets up servers with zone contents O-2: Parent changes NS to point to new operator O-3: Old operator possible actions – O-3.1 Changes NS to new operator – O-3.2 Lowers TTL on NS – O-3.3 Turns off service – Combination O-3.1 + O.3.3 or O.3.2 + O.3.3 – O-3.4 Does nothing and keeps serving (BAD)

7 DNS Operator change: (cont) Path 1: Turn off O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child) BLUE: New Operator Red: Parent Green: Old Operator Orange: Time to wait as TTL of Rrset Simple arrow: Precedence

8 DNS Operator change: (cont) Path 2: Lower TTL O-1 Zone O -2 NS O-3.1 NS O-3.3 Stops Max(NS Par, NS Child) Child NS

9 DNS Operator change: (cont) Path 3: Changes NS set O-1 Zone O -2 NS O-3.3 Stops O-3.2 TTL Max(NS Par, NS Child) Child NS

10 DNS Operator change: (cont) Path 4: Continues Service O-1 Zone O -2 NS O-3.4 Keeps

11 DNS Operator change: (cont) All alternative paths O-1 Zone O -2 NS O-3.1 NS O-3.3 Stops O-3.2 TTL Max(NS Par, NS Child) Child NS O-3.4 Keeps Child NS

12 Effects of operator behavior on resolvers that know domain NameActionWhenaffected DisruptiveO-3.3< max( Parent NS TTL, Child NS TTL)All types of resolvers Big rippleO-3.3> Max( Parent NS TTL, Child NS TTL)Many Child sticky Small rippleO-3.2 After parent changes O-3.3> Max(Parent NS TTL, time of 3.2 + Child old NS TTL) Few child sticky Ripple freeO-3.1After parent changes O-3.3> Max(Parent NS TTL, time of 3.1 + Child old NS TTL) None DisjointO.3.4Some child sticky Child sticky resolver == Resolver that uses NS set from child AND extends TTL each time it sees a new copy of the NS set. (TTL stretching)

13 Predictable DNS operator change We need know/find out how the old operator will behave during the process – Cooperative: O-3.1 + O-3.3 or O-3.2 + O-3.3 – Minimally cooperative: O-3.3. upon request – Un-cooperative: O-3.4 or O-3.3 at random time

14 DNSSEC zone operations DNSSEC complicates life somewhat In following slides express the actions performed in each of following operations – Roll over Zone Signing Key (dual key) – Roll over Key Signing Key (single KSK, dual DS) – Turn on DNSSEC for a zone – Turn off DNSSEC for a zone DNSSEC operator change builds upon all these

15 DNSSEC in nutshell Trust chain – DS  DNSKEY  RRSIG – DS  KSK  ZSK  RRSIG Referral chain – NSp, DS  NSc, DNSKEY  RR  RRSIG NSp == NS set from parent NSc == NS set from child

16 Key rollover: Z-1..5 ZSK change z  Z Actions – Z-1: Generate Z – Z-2: Add Z to DNSKEY RRset Wait > DNSKEY TTL – Z-3: Sign first RRset with Z – Z-4: Sign last RRset with Z Wait MAX TTL, largest TTL in the zone – Z-5: Remove z from DNSKEY set DK RR kz rz kzZ rz kzZ rz,rZ kzZ rZ kZ rz

17 KSK rollover: K-1..4 k  K dual DS single KSK Actions – K-1: Generate K calculate D – K-2: Add D to DS in parent Wait DS TTL – K-3: Replace k with K in DNSKEY RRset and sign with K Wait Max(DS TTL, DNSKEY TTL) – K-4: Remove d from DS Chi Par kz d Kz dD KzZ dD Kz rZ Kz D

18 Going signed S-1..3 S-1: Set up keys – Z-1 + Z-2 – K-1 + K-3 Wait: Negative TTL for zone S-2: Sign zone – Z-3 + Z-4 Wait: MAX TTL in zone S-3: create Trust path/ Add DS – K-2 Chi RD Par kz r kz rz kz rz D

19 Going Unsigned: U-1..3 Actions – U-1: Remove DS from parent Wait: DS TTL + DNSKEY TTL – U-2: Remove signatures from zone Wait: MAX TTL in zone – U-3: Delete DNSKEY RRset. Chi RD Par kz rz d Kz rz - kz r - r

20 DNSSEC Paths for operator change 3 basic paths possible – Going Unsigned  DNSSEC is turned off and will not be turned on again (Undesirable but dictated by new operator capabilities) – Intermediate unsigned step  DNSSEC trust chain is broken during the change but DNSSEC will be turned on again after operator change – Ripple free  DNSSEC validation works throughout the whole operator change process Ripple free is our goal, but the second one is needed when old operator is not cooperative.

21 Ripple Free DNSSEC preconditions Old operator – is DNSSEC capable – Is cooperative (O-3.3 upon request) Will do O-3.1 (or O-3.2) Will add Z to DNSKEY set Parent – Will accept DS for a key not in DNSKEY New operator – Is DNSSEC capable No sharing of keys

22 Signed  Unsigned operator change Actions 1.New brings up zone – O-1 2.Parent deletes DS – U-1 3.Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS) 4.Old Phases out – O-3 5.Done OldParNew 0kz,n,rzD,n 1N,R 2n 3N 4X 5N

23 Going Unsigned operator change 1. DS del 2 New sets up 3 NS changed 4 NS change 5 Done DS +DNSKEY Max(cNS, pNS) Child NS 4 Old turns off

24 Signed -> Unsigned  Signed operator change Actions 1.New brings up zone – O-1 2.Parent deletes DS – U-1 – Wait: DS + DNSKEY TTL 3.Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS) 4.Old Phases out – O-3 (O-3.1 + O-3.3 or O-3.1 + O-3.2) 5.Parent inserts DS K-4 6.Done OldParNew 0kz,n, rz d,n 1N,KZ, RZ 2n 3N 4X 5N,D 6 N,KZ, RZ

25 Signed -> Unsigned -> Signed operator change 1 Del DS 4a NS change 2 New zone 3 NS change 5 Add DS 6 Done DS + DNSKEY MA X TTL DS 4b Stops cNS MAX( cNS, pNS) cNS

26 Ripple Free operator change Actions 1.New brings up zone O-1, Z-1, Z-3, Z-4, K-1, K-3 2.Old add Z to DNSKEY Z-2 3.Parent adds D to DS K-2 4.Parent changes NS O-2 Wait: MAX(parent NS, old child NS) 5.Old Phases out O-3.1 + O-3.3 6.Parent deletes d from DS K-4 7.New deletes z from DNSKEY Z-5 8.Done OldParNew 0kz,n,rzd,n 1N,KZz, RZ 2kzZ,n, rzn 3n,dD 4N,dD 5X 6N,D 7N,KZ, RZ 8N,DN,KZ,RZ

27 Ripple free DNSSEC operator change 1 New sets up 5.b Old Stops 2 Old adds Z 3 Parent adds D 6 delete d 4 NS change 7 delete z oDNSKEY DS MAX-TTL 8 Done oDNSKEY DS 5.a NS Change cNS Max(cNS, pNS) nDNSKEY

28 Shortest Time of paths DNS only operator change: A = max(cNS, pNS) Going Unsigned: B = A + DS + DNSKEY Broken trust chain C = DS + DNSKEY + max(A + cNS, MAX-TTL) Ripple Free: D = B + max(Max-TTL+ oDNSKEY, DS+ DNSKEY)

Download ppt "DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker 2012 Oct.

Improving DNS contents in the RRR world Ólafur Guðmundsson Steve Crocker Oct.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.

DNS Transfers in DNSSEC world Olafur Gudmundsson Steve Crocker Shinkuro, Inc.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
IETF-751 Olafur Gudmundsson Andrew Sullivan.

IETF-751 Olafur Gudmundsson Andrew Sullivan.
Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.

Measuring DNSSEC validation i.e. how to do it Ólafur Guðmundsson Steve Crocker ogud, steve at shinkuro.com.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
February 2003slideset 1 Writing Zone Files Olaf M. Kolkman

February 2003slideset 1 Writing Zone Files Olaf M. Kolkman
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April 18 2012.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!

Similar presentations

Ads by Google