Presentation is loading. Please wait.

Presentation is loading. Please wait.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

Published byEmery Moody Modified over 8 years ago

Similar presentations

Presentation on theme: "Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015"— Presentation transcript:

1 Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015 edward.lewis@icann.org

2 | 2  Setting the scene  Change of Hardware Security Modules (HSMs)  Roll (change) the Key Signing Key (KSK)  The big finish Agenda

3 | 3  Root Zone KSK  The trust anchor in the DNSSEC hierarchy  Has been in operation since June 2010  With no roll of key itself  And with no change of HSM (until April 2015)  "After 5 years of operation"  Concerns over HSM (hardware) battery life  Requirement to roll the KSK Background

4 | 4 The Players  Root Zone Management Partners  Internet Corporation for Assigned Names and Numbers (ICANN)  U.S. Department of Commerce, National Telecommunications and Information Administration (NTIA)  Verisign  External Design Team for KSK roll  ICANN  Performs DNSSEC and KSK functions (plus others) in accordance with the IANA functions contract

5 | 5 What is a...  KSK  Key-Signing Key signs DNSKEY RR set  Root Zone KSK  Public key in DNS Validator Trust Anchor sets  Copied everywhere - "configuration data"  Private key used only inside HSM  HSM  Hardware Security Module  Specialized hardware  Operates KSK  Prevents exposure of private key

6 | 6 Public Impact  HSM change  Not much impact to the public  So long as they work, they are unseen  Concerns that existing set is growing old  Specifically the internal battery  KSK roll  Large impact (on those validating)  Anybody operating a validator has it now  All copies need to be updated  Trusting the new KSK is work to be done

7 | 7 Goal for today  This presentation is intended to  Inform  Stir reaction and feedback  Call attention to a coming ICANN Public Comment Period on KSK roll  Two means for feedback  Informal via mic and mail list, comments picked up by KSK roll Design Team  Formal via an upcoming ICANN Public Comment period (to be announced)

8 | 8  Straightforward Replacement  Same brand, newer model  Culpeper, Virginia, USA Facility  Ceremony XXI on April 9, 2015 (went flawlessly)  El Segundo, California, USA Facility  Ceremony XXII planned for August 13, 2015  Documented Plan  https://www.icann.org/news/announcement- 3-2015-03-23-en HSM Change (or "Tech Refresh")

9 | 9 KSK Roll  Compared to HSM change  Greater public impact  Various options to consider  Approach  ICANN Public Consultation (2012)  Previous engineering effort (2013)  Current external design team (2015)

10 | 10 Milestones  Current Design Team Plan  Study, discussion until June  Present report for ICANN Public Comment  One month, covering ICANN 53  One month to prepare final report  Root Zone Management Partners then develop a plan and execute

11 | 11 Design Team Roster  Joe Abley  John Dickinson  Ondrej Sury  Yoshiro Yoneya  Jaap Akkerhuis  Geoff Huston  Paul Wouters  Plus participation of the aforementioned Root Zone Management Partners

12 | 12 In theory  On paper...  The industry collective wisdom is fairly mature  There have been many KSK rolls before  What works, breaks has been experienced  But the Root Zone KSK is different  Other KSK rolls inform the parent (or DLV)  A new root KSK has to be updated everywhere  Mitigated by RFC5011's trust anchor management

13 | 13 In practice ...but...  Any plan will face external challenges  Will validators have trouble receiving responses during the roll? (Fragmentation issues)  Are automated trust anchor updates implemented correctly?  Will operators know how to prepare, how to react?  Will all DNSSEC code paths perform correctly?

14 | 14 A Discussion with the Design Team  This presentation is to inform and invite participation  Concerns of the design team  MTU, IPv4 and IPv6 fragment handling  Alternate algorithm to RSA-SHA256  RFC 5011 and Trust Anchor maintenance  So, now, with members of the design team  What concerns do you have?  What comments do you want to add?

15 | 15 Potential Step 1 – Pre-publish new KSK (2015)

16 | 16 Potential Step 2 – Regular ZSK Roll

17 | 17 Potential Step 3 – Removal of old KSK (2010)

18 | 18 Potential Step 4 – Revoke 2010 after ZSK roll

19 | 19 Recently Measured DNSKEY Response Sizes (TLD) 1500 Bytes One outlier 512Bytes One 2048b KSK, One 1280b ZSK, two signatures

20 | 20 DNSSEC Links  http://www.iana.org/dnssec  http://www.root-dnssec.org  http://www.verisigninc.com/assets/dps-zsk- operator-1527.pdf

Download ppt "Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015"

Similar presentations

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA

ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
IETF-751 Olafur Gudmundsson Andrew Sullivan.

IETF-751 Olafur Gudmundsson Andrew Sullivan.
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.

IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
IANA Update APNIC 31, Hong Kong February 2011. Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.

IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting (2008-01-16)

Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.

Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, 2013 1 Jelte Jansen, Antoin Verschuren.

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.

IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.

Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
Implementing a Calibration Management System Cory Otto Principal Metrology Engineer, Boston Scientific 10 October 2012.

Implementing a Calibration Management System Cory Otto Principal Metrology Engineer, Boston Scientific 10 October 2012.
1 ARIN: Mission, Role and Services John Curran ARIN President and CEO.

1 ARIN: Mission, Role and Services John Curran ARIN President and CEO.
Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.

Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.

Similar presentations

Ads by Google