dnssec for the root zone

DNSSEC for the Root Zone UKNOF 16, London, April 2010 Richard Lam mb, ICANN 1

Upload: jennieawalsh

Post on 12-Apr-2015

8 views

Category:

Documents

2 download

Report

Download

Embed Size (px):

DESCRIPTION

sdazb z

TRANSCRIPT

DNSSECfor the Root Zone

UKNOF 16, London, April 2010

Richard Lamb, ICANNRichard Lamb, ICANN

This design is the result of a cooperation between ICANN & VeriSign withsupport from the U.S. DoC NTIA

Quick Recap

• 2048-bit RSA KSK, 1024-bit RSA ZSK

• Signatures with RSA/SHA-256

• Split ZSK/KSK operations

• Incremental deployment

• Deliberately Unvalidatable Root Zone (DURZ)

DURZ Deployment

• The Deliberately Unvalidatable Root Zone (DURZ) deployment started on January 27.

• As of today – 12 root server operators are serving the DURZ.

Root Server StatusRoot Server Operated by Signed ARPA DURZ LTQC DITL

A VeriSign 2010-03-16 2010-02-10 submitting submitting

B ISI 2010-03-16 2010-04-14 unknown unknown

C Cogent 2010-03-16 2010-04-14 submitting submitting

D UMD 2010-03-16 2010-03-24 submitting submitting

E NASA 2010-03-16 2010-03-24 submitting submitting

F ISC 2010-03-17 2010-04-14 submitting submitting

G US DoD 2010-03-16 2010-04-14 submitting submitting

H US Army 2010-03-16 2010-04-14 submitting submitting

I Autonomica 2010-03-15 2010-03-03 submitting submitting

J VeriSign N/A 2010-05-05 submitting submitting

K RIPE NCC 2010-03-15 2010-03-24 submitting submitting

L ICANN 2010-03-15 2010-01-27 submitting submitting

M WIDE 2010-03-15 2010-03-03 submitting submitting

UDP Traffic @ J-Root

TCP Traffic @ J-Root

Key Ceremonies

• Key ceremonies tested and exercised during January and February.

‣ See Root Zone DNSSEC KSK Ceremonies Guide for more information.

• The secure facilities are being fine tuned to meet the requirements set by DoC and the expectations set by the community.

http://www.root-dnssec.org/wp-content/uploads/2010/02/draft-icann-dnssec-ceremonies-00.txt

TCR Proposal

• Draft document describing how recognized members of the DNS technical community could be part of the key management process has been published.

‣ Visit http://www.root-dnssec.org/tcr/ for more information

DS Change Requests

• Approach likely to be based on existing methods for TLD managers to request changes in root zone.

• Anticipate being able to accept DS requests 1-2 months before the validatable signed root zone is in production.

Policy Update

• Updated versions of the draft KSK and ZSK DNSSEC Practice Statements (DPS) will be published shortly.

‣ Not much has changed substantively, but please read these practice statements – answers to most questions regarding DNSSEC for the Root Zone can be found in the DPS.

DocumentationAvailable at www.root-dnssec.org

• Requirements

• High Level Technical Architecture

• DNSSEC Practice Statements (DPS)

• Trust Anchor Publication

• Deployment Plan

• KSK Ceremonies Guide

• TCR Proposal

• Resolver Testing with a DURZ

http://www.root-dnssec.org

Questions & Answers

[email protected]

Root DNSSEC Design Team

Joe AbleyMehmet AkcinDavid BlackaDavid ConradRichard LambMatt Larson

Fredrik LjunggrenDave Knight

Tomofumi OkuboJakob SchlyterDuane Wessels

DNSSEC Zone Management with ZKT - H Z N E T Startseite · DNSSEC Zone Management with ZKT ... —ZKT without BIND name server ... • FreeBSD and OpenBSD ports available

DNSSEC Implementation Approaches - ICANN GNSO · DNSSEC Implementation Approaches . The DLV infrastructure zone • DLV is a DNS-based deployment aid for early DNSSEC deployment –allows

2017 DNSSEC KSK Rollover - LACNICslides.lacnic.net/wp-content/uploads/2017/05/ksk-rollover-icann-v2.pdf · | 4 Rollover of the Root Zone DNSSEC KSK ¤Therehas been one functional,

DNSSEC with BlueCat Networks - Internetdagarna · Challenges Deploying DNSSEC TLD and root zone signing - “.com” not until 2011! Products to validate and host DNSSEC records Key

IANA and DNSSEC Root - Apricot · IANA ! and! DNSSEC! at! the ! Root APRICOT! 2009! Manila February! 25,! 2009 [email protected]

Rolling the Root Zone DNSSEC Key Signing Key · • DNSSEC has three kinds of records that, in some loose definition, hold cryptographic key data. The records exist because of the

Rolling the Root - APNIC · 2015-10-05 · Rolling the Root Geoff Huston APNIC Labs . Use of DNSSEC in Today’s Internet . ... • The Root Zone Key Signing Key signs the DNSKEY

The GNU Name System - Grothoff · I Domain Name System (Root zone) I DNSSEC root certi cate I X.509 CAs (HTTPS certi cates) I Major browser vendors (CA root stores!) I Encryption

Overview DNSSEC - ICANN€¦ · Overview DNSSEC Performance More… Support for Online Zone Signing. Sign/unsign/change DNSSEC settings on a live zone Add/remove records dynamically

DNSSEC and the Authoritative Root Zone · Domain Name System •1. st . order implications are clear: –1. st . step in every instance of Internet communication. – Attacks can

DNSSEC and the Authoritative Root Zone€¦ · DOC Role -The Authoritative Root Zone • The authoritative root zone file is the top of the DNS hierarchy, for which the U.S. Department

DNSSEC for the Root · PDF fileDNSSEC for the Root Zone – Update IETF 78, ... Nicolas Antoniello, UY ... Backup COs (RKSHs) Key Ceremonies • Ceremony #1: June 16, 2010, Culpeper,

Deployment of DNSSEC in the Root Zone: Impact Analysis · Deployment of DNSSEC in the Root Zone: Impact Analysis ... This report examines the impact of the deployment of DNSSEC in

DNSSEC for the Root Zone...Root Servers KSK published by ICANN Keyset is signed by KSK and sent back from ICANN to VeriSign Unsigned root 11 Proposed Approach to Protecting the KSK

DNSSEC for the Root Zone · DNSSEC Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing, managing,

Verisign DNSSEC PMA December 7, 2017 DNSSEC Practice ...€¦ · Root Zone ZSK DPS December 7, 2017 requirements. In many instances, the DPS refers to these ancillary documents for

Rolling the Root Zone DNSSEC Key Signing Key · DNSSEC Key Management in the Root Zone ¤ DNSSEC key management is divided into: o Key Signing Key (KSK), self-signs the key set o

ISC & BIND Update - ICANN...Easier DNSSEC deployment (9.7) Built-in trust anchor for root DNS64 2011 Prefetch, Map zone, zone sharing between views Statistics: JSON, udp/tcp 2008 2013

2017 DNSSEC KSK Rollover - wiki.apnictraining.net · | 2 To publicize the new Root Zone DNSSEC KSK Provide status, upcoming events, and contact information Provide helpful resources

A Story on Unsupported DNSSEC Algorithms · $ dnssec-keygen -a RSAMD5 example.com. dnssec-keygen: fatal: unsupported algorithm: 1 pdnsutil generate-zone-key Syntax: pdnsutil generate-zone-key

DNSSEC for the Root ZoneDNSSEC for the Root Zone NZNOG Hamilton, NZ January 2010 Joe Abley, ICANN ... SP 800-53 technical security controls required by a HIGH IMPACT system Thursday

K-Root DNSSEC Signing Plans

Rolling the Root Zone DNSSEC Key Signing Key - Eland Syssm/KSK_Roll_Plan_LewisAFRINIC25.pdf · Rolling the Root Zone DNSSEC Key Signing Key Edward Lewis ... and a trust anchor •

Rolling the Root - ICANN · • The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone – The Zone Signing Key (ZSK) signs the individual root zone entries • The

DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS

A measurement study of DNSSEC misconfigurations · zone draws importance for analysis as it was the first DNSSEC signed zone [15] in 2005, 5 years prior to the root domain, hence

Track 2 Workshop at PacNOG7: DNSSec Overview · 3. Signing the zone Sign your zone # dnssec-signzone myzone dnssec-signzone will be run with all defaults for signature duration, the

2017 DNSSEC KSK Rolloverslides.lacnic.net/wp-content/themes/slides/docs/... · | 4 Rollover of the Root Zone DNSSEC KSK ¤ There has been one functional, operational Root Zone DNSSEC

CCNSO MEMBERS MEETING IANA Names Function Update · 2017-11-13 · • Rolling the Root Zone Key Signing Key • Performance reporting • Customer Survey. New DNSSEC algorithm support

DNSSEC for the Root Zone · 2019-02-01 · DURZ • “Deliberately Unvalidatable Root Zone” • Sign RRSets with keys that are not published in the zone (but with matching keytag…)

DNSSEC for the Root Zone · DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing,

Verisign DNSSEC Practice Statement for COM Zone

VeriSign Root Zone Signing Proposal - Home Page | … · approach to DNSSEC in accordance with the terms of the Root Server Management Transition Completion Agreement between VeriSign

Commercial DNSSEC - TERENA€¦ · DNS!Server! Controller DNS!Server DNSSEC Zone!Signing &! Key!Management OpenDNSSEC Secure64!Signer DNSSEC!ZKT! BIND!9.7.x+ Windows!2008R2 DNS!Management!

K-root and DNSSEC