dns operator/registrar changes toolkit of actions steve crocker Ólafur guðmundsson shinkuro...

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Upload: florence-hunter

Post on 24-Dec-2015




0 download


Page 1: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS operator/registrar changestoolkit of actions

Steve CrockerÓlafur Guðmundsson


Page 2: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Outline of presentation

• DNS operator change toolkit and analysis

• DNSSEC operations changes toolkit• DNSSEC operator change implications • Different paths for DNSSEC operator changes• R2 + R3 implications • Fitting to paths to different registries.

Page 3: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Ground rules: Respect DNS properties

• Creating DNS process that are universal– Only talk about DNS visible actions – Communication path to parent ignored – Communication with registrar ignored

• Only talk about DNS roles– Parent– Old and New Operator

Once we understand DNS effects we can map additional communication and parties into the processes

Page 4: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Notation used

• Lower case: contents from old operator • Upper case: contents from new operator• kK: Key Signing Keys • zZ: Zone Signing Keys• nN: Nameserver sets • dD: DS records pointing to k or K respectively• rR: DNS data • r(z) : Rrset signed by z, (from old operator)

Page 5: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Timing issues

• All waits are expressed as TTL of an RRsetActually the timer starts once the LAST name

server for that operator reflects the change When a rule has a MAX that covers TTL’s from

two operators (parent and child) the second parties TTL has the delay to perform the action added to the valueWe assume parent will perform actions before child for

simplicity reasons but in some cases the order can be the order does not matter.

Page 6: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Simple DNS Operator Change:NOT TRUE

• O-1: New Operator sets up servers with zone contents

• O-2: Parent changes NS to point to new operator• O-3: Old operator possible actions– O-3.1 Changes NS to new operator– O-3.2 Lowers TTL on NS– O-3.3 Turns off service – Combination O-3.1 + O.3.3 or O.3.2 + O.3.3 – O-3.4 Does nothing and keeps serving (BAD)

Page 7: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS Operator change: (cont) Path 1: Turn off

O-1 Zone

O -2 NS

O-3.3 StopsMax(NS Par, NS Child)

BLUE: New OperatorRed: Parent Green: Old OperatorOrange: Time to wait as TTL of RrsetSimple arrow: Precedence

Page 8: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS Operator change: (cont)Path 2: Lower TTL

O-1 Zone

O -2 NS

O-3.1 NS

O-3.3 StopsMax(NS Par, NS Child)

Child NS

Page 9: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS Operator change: (cont)Path 3: Changes NS set

O-1 Zone

O -2 NS

O-3.3 Stops

O-3.2 TTL

Max(NS Par, NS Child)

Child NS

Page 10: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS Operator change: (cont)Path 4: Continues Service

O-1 Zone

O -2 NS

O-3.4 Keeps

Page 11: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNS Operator change: (cont)All alternative paths

O-1 Zone

O -2 NS

O-3.1 NS

O-3.3 Stops

O-3.2 TTL

Max(NS Par, NS Child)

Child NS

O-3.4 Keeps

Child NS

Page 12: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Effects of operator behavior on resolvers that know domain

Name Action When affected

Disruptive O-3.3 < max( Parent NS TTL, Child NS TTL) All types of resolvers

Big ripple O-3.3 > Max( Parent NS TTL, Child NS TTL) Many Child sticky

Small ripple O-3.2 After parent changes

O-3.3 > Max(Parent NS TTL, time of 3.2 + Child old NS TTL)

Few child sticky

Ripple free O-3.1 After parent changes

O-3.3 > Max(Parent NS TTL, time of 3.1 + Child old NS TTL)


Disjoint O.3.4 Some child sticky

Child sticky resolver == Resolver that uses NS set from child AND extends TTL each time it sees a new copy of the NS set. (TTL stretching)

Page 13: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Predictable DNS operator change

• We need know/find out how the old operator will behave during the process– Cooperative:• O-3.1 + O-3.3 • or O-3.2 + O-3.3

– Minimally cooperative: • O-3.3. upon request

– Un-cooperative: • O-3.4 • or O-3.3 at random time

Page 14: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNSSEC zone operations

• DNSSEC complicates life somewhat • In following slides express the actions

performed in each of following operations– Roll over Zone Signing Key (dual key) – Roll over Key Signing Key (single KSK, dual DS) – Turn on DNSSEC for a zone – Turn off DNSSEC for a zone

• DNSSEC operator change builds upon all these

Page 15: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNSSEC in nutshell


• Referral chain – NSp, DS NSc, DNSKEY RR RRSIG• NSp == NS set from parent• NSc == NS set from child

Page 16: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Key rollover: Z-1..5ZSK change z Z

• Actions– Z-1: Generate Z– Z-2: Add Z to DNSKEY RRset• Wait > DNSKEY TTL

– Z-3: Sign first RRset with Z– Z-4: Sign last RRset with Z • Wait MAX TTL, largest TTL in the zone

– Z-5: Remove z from DNSKEY set

DK RRkz rzkzZ rz

kzZ rz,rZkzZ rZ

kZ rz

Page 17: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

KSK rollover: K-1..4 k K dual DS single KSK

• Actions– K-1: Generate K calculate D– K-2: Add D to DS in parent • Wait DS TTL

– K-3: Replace k with K in DNSKEY RRset and sign with K • Wait Max(DS TTL, DNSKEY TTL)

– K-4: Remove d from DS

Chi Parkz dKz dD

KzZ dDKz rZ

Kz D

Page 18: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Going signed S-1..3

• S-1: Set up keys – Z-1 + Z-2– K-1 + K-3• Wait: Negative TTL for zone

• S-2: Sign zone – Z-3 + Z-4• Wait: MAX TTL in zone

• S-3: create Trust path/ Add DS– K-2

Chi RD Par

kz r

kz rz

kz rz D

Page 19: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Going Unsigned: U-1..3

• Actions– U-1: Remove DS from parent • Wait: DS TTL + DNSKEY TTL

– U-2: Remove signatures from zone• Wait: MAX TTL in zone

– U-3: Delete DNSKEY RRset.

Chi RD Parkz rz d Kz rz -

kz r

- r

Page 20: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

DNSSEC Paths for operator change

• 3 basic paths possible– Going Unsigned DNSSEC is turned off and will not be

turned on again (Undesirable but dictated by new operator capabilities)

– Intermediate unsigned step DNSSEC trust chain is broken during the change but DNSSEC will be turned on again after operator change

– Ripple free DNSSEC validation works throughout the whole operator change process

• Ripple free is our goal, but the second one is needed when old operator is not cooperative.

Page 21: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Ripple Free DNSSEC preconditions

• Old operator – is DNSSEC capable – Is cooperative (O-3.3 upon request)

• Will do O-3.1 (or O-3.2) • Will add Z to DNSKEY set

• Parent – Will accept DS for a key not in DNSKEY

• New operator– Is DNSSEC capable

• No sharing of keys

Page 22: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Signed Unsigned operator change

Actions1. New brings up zone – O-1

2. Parent deletes DS – U-1

3. Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS)

4. Old Phases out– O-3

5. Done

Old Par New

0 kz,n,rz D,n

1 N,R

2 n

3 N

4 X

5 N N,R

Page 23: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Going Unsigned operator change

1. DS del

2 New sets up

3 NS changed

4 NS change

5 Done


Child NS4 Old turns


Page 24: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Signed -> Unsigned Signed operator change

Actions1. New brings up zone

– O-1

2. Parent deletes DS – U-1– Wait: DS + DNSKEY TTL

3. Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS)

4. Old Phases out– O-3 (O-3.1 + O-3.3 or O-3.1 + O-3.2)

5. Parent inserts DS• K-4

6. Done

Old Par New

0 kz,n,rz


1 N,KZ, RZ

2 n

3 N

4 X

5 N,D

6 N,D N,KZ, RZ

Page 25: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Signed -> Unsigned -> Signed operator change

1 Del DS

4a NS change

2 New zone

3 NS change

5 Add DS

6 Done




4b Stops


MAX( cNS, pNS) cNS

Page 26: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Ripple Free operator change Actions1. New brings up zone

• O-1, Z-1, Z-3, Z-4, K-1, K-3

2. Old add Z to DNSKEY• Z-2

3. Parent adds D to DS • K-2

4. Parent changes NS • O-2 • Wait: MAX(parent NS, old child NS)

5. Old Phases out• O-3.1 + O-3.3

6. Parent deletes d from DS• K-4

7. New deletes z from DNSKEY • Z-5

8. Done

Old Par New

0 kz,n,rz d,n

1 N,KZz, RZ

2 kzZ,n, rz n

3 n,dD

4 N,dD

5 X

6 N,D

7 N,KZ, RZ


Page 27: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Ripple free DNSSEC operator change

1 New sets up

5.b Old Stops

2 Old adds Z

3 Parent adds D

6 delete d

4 NS change

7 delete z



MAX-TTL 8 Done


5.a NS Change cNS

Max(cNS, p



Page 28: DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

Shortest Time of paths

• DNS only operator change: • A = max(cNS, pNS)

• Going Unsigned: • B = A + DS + DNSKEY

• Broken trust chain • C = DS + DNSKEY + max(A + cNS, MAX-TTL)

• Ripple Free: • D = B + max(Max-TTL+ oDNSKEY, DS+ DNSKEY)