topic: dnssec ops problem: sep provisioning · why do we need a standard • today's ad‐hoc...
TRANSCRIPT
Abstract
• AnSEPisaDNSSECpublickeythatanadministratorgeneratesaspartofthesigningprocess
• AnSEPisaDNSSECpublickeythatananadministratorreceivesasinput,leadingtoDSrecordsatadelegaOon
• ThereisnostandardwaytotransfertheSEPdespitemanyadmin‐adminenvironments
Oct8,2009 [email protected] 2
Whydoweneedastandard
• Today'sad‐hocsituaOonisn'tworking• Theabsenceofastandardmeanstheexchangesareinformal– Informaldoesnotscale– Newplayersdon'tknowwheretostart– Disenfranchiseddemographicstaysthatway
• Integrateasmanyplayersaspossible,safely
Oct8,2009 [email protected] 3
AdilemmaIlivewith
• AgTLD/ccTLDregistryisexpecOngtorelyonaEPPserverasitsprovisioningingresspoint
• ADNSmanagedservice,notaregistrar,doesnotoperateaEPPclient
• Howdotheytalktoeachother?– EvenwithinthesameorganizaOon?
Oct8,2009 [email protected] 4
SecureEntryPoint(SEP)
• ASecureEntryPointisakey(KSK)thatisintendedto– ProduceaDSrecordattheparent– BeconfiguredinaTrustAnchorlist– BeredistributedbyaTrustAnchorRepository
Oct8,2009 [email protected] 5
TrustAnchorRepository
• TARisa"securitysurrogate"– ToaDNSadministrator,itactsliketheparentwithrespecttotheSEPsubmission
– ToaDNScacheoperator,itisaregistryofsecuritymetadata(SEPs)withdomainnames
• ATARisyetanotherformofaregistry– FocusdiffersfromaDomainNameRegistryorRIR
Oct8,2009 [email protected] 6
SEPLifecycle
• IfanSEPwaspermanentwehavenoproblem,butcircumstancesmayrequireitbechanged
• AnSEP's"lifecycle"mayincludethesestages– generaOon– preview(whichmightincludeemergency)
– acOve– revoked(alaRFC5011)– removed
Oct8,2009 [email protected] 7
SwappinganSEP
• Oneapproach– StartwithexisOngSEP,signed– AddnewSEPtoset,signed– RequestaswapofDSrecordsatparentorTAR– Confirmchange,revoke(RFC5011)theold
– RemovetheoldSEP
Oct8,2009 [email protected] 8
Addendum
• TheremaybemorethanoneSEPforazone– Forexample,onepercrypto‐algorithm
– ForanyoperaOonalreason• TheSEPchangeprocesspresentedhereisjustonemodel– Thisisn'tanefforttopickonechangeprocess– TheresulOngprovisioningprocessshouldaccommodatemanydifferentchangeprocesses
Oct8,2009 [email protected] 9
Theproblem
• Middlestep:RequestaswapofDSrecordsatparentand/orTAR– Anexternaldependency– Fewhavespecifiedhowthiswillbedone• ThereisRFC4310(EPPforDNSSEC)butthathaslimitedscope
– Testbedsofferwebpages;keyscraperspick– BuildingscriptsforSEPchangeisnoteasy
• Needstoaddress:security,servicelevelagreement
Oct8,2009 [email protected] 10
Whydidn'tRFC5011solvethis?
• RFC5011"AutomatedUpdatesofDNSSECTrustAnchors"– NomenOonofredistribuOonissues– NoconfirmaOonstep(notneededbecausethiswasn'tmeantforredistribuOontootherparOes)
• WithoutconfirmaOon,thisdoesn'tprovidethenecessaryfeedbacktotheprovisioningclient
Oct8,2009 [email protected] 11
VisualizingtheProblem
• Thenextfiveslidesshowthesefoursteps– ThechildpublishesanewSEP(‐to‐be)– TheDS(newSEP)getstotheparent‐TAR– Parent‐TARpublishesthe(Signed)DS– ThechildrevokestheoldSEP
• Hmm,beforeIsaidtherewerefivesteps– Thisfocusesonstep#2,#3,#4,dividing#3inhalf
Oct8,2009 [email protected] 12
SEP:Pre‐publishinDNS
Oct8,2009 [email protected] 13
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
SEP:RequestDSswap
Oct8,2009 [email protected] 14
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
SEP:RequestDSappearinparent
Oct8,2009 [email protected] 15
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
Or,viatheDNSin‐bandprotocol
SEP:Parent‐TARsigns
Oct8,2009 [email protected] 16
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
SEP:ConfirmDS
Oct8,2009 [email protected] 17
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
SEP:AcOvate‐revokeoldthatis
Oct8,2009 [email protected] 18
Child Parent‐TAR
DNSMaster
DNSSlave
DNSSlave
DNSMaster
DNSSlave
DNSSlave
DNSSECSigner
DataEntry
KeyMgmt
DNSSECSigner
DataEntry
KeyMgmt
Thebasicsteps
• ThechildpublishesanewSEP• TheDS(newSEP)getstotheparent‐TAR• Parent‐TARpublishesthe(Signed)DS• ThechildrevokestheoldSEP
• TheabovelistdoesnotaddressingOming
• Anditdoesn'taddressincludingallparent&TARs
Oct8,2009 [email protected] 19
SharedRegistryModel
• ICANNhasspecifiedaparOcularmodel• Basicidea‐separaOonbetweenregistrantandregistry,registrarismiddle‐man;noconsideraOonwasgiventoDNSoperaOons– Goodforbusiness– CausesabarrierforDNSin‐bandupdates
• Butthisisnottheonlywaytodothis,arguablynoteventhemajorityofenvironments
Oct8,2009 [email protected] 20
TAR/TAROps
TAR/TAROps
GeneralizedProvisioningModel
Oct8,2009 [email protected] 21
RegistryRIR
RegistrarLIR
Registrant
ParentOperator
TAR/TAROps
ChildOperator
Remember,Provisioning
• Whenlookingatthis,rememberwehavetothinkprovisioning(set‐up)andnotthelookup– Thismeansthattheparenthastogetthedataintotheregistry,notjustadynamicupdate
– ThisdoesnotprecludetheuseoftheDNSprotocoltopickupinformaOon
• ThatiswhythevalidaOngcacheusingtheparent‐TARDSrecordisnotshown
Oct8,2009 [email protected] 22
Knownrequirements
• FuncOon– SendnewDNSKEY/DStoparentwhenitshouldreplaceexisOng;parentinformsofcompleOon;confirmaOon
– Moregeneral,weshouldusethetradiOonaladd/modify/deleteparadigmtoaccommodatemoresituaOons
• Security‐Pair‐wiseauthenOcaOon,tamper‐proofxfer
• Accountability‐ExisOngopsmodelsneedtobemaintained
• Performance‐SLAforrequestandresponse• Predictable‐E.g.,TimetocompleOon
Oct8,2009 [email protected] 23
Environments
• RegistranttoRegistry,eachasownoperator• DNSoutsourcedbyRegistrant• DNSoutsourcedbyRegistry• Registrarinthemiddle(orchainofthem)
• RegistrarasDNSoperator• Registranthasregistrarandseparateoperator• EPPinterface,SOAP/XML‐basedapproaches
Oct8,2009 [email protected] 24
RelatedProblem
• SomeDNSoperatorsaresigningalloftheircustomer'szones
• WhenoneoftheircustomerstransfersDNSoperaOons(withorwithoutchanging"registrar"),theoldDSrecordremainsintheregistry
• IfthecustomercannotremovetheoldDS,thezonewillbegintofailDNSSECvalidaOon
Oct8,2009 [email protected] 25
Thenextfewslidesareforideas
• Afewenvironmentsaresketchedout• Notcomplete,notparOcularlyimportant
• Buttheretocapturethewiderissuesinvolved
Oct8,2009 [email protected] 26
FudgingintoanEPPSRM
Oct8,2009 [email protected] 27
gTLDRegistrarRegistrant
ChildDNS
Operator
DNSSub‐system
EPP
DynamicUpdate
HTTPS
Registrar"knowsall"
AsanaddiOontoEPPSRM
Oct8,2009 [email protected] 28
gTLDRegistrarRegistrant
ChildDNS
Operator
DNSSub‐system
EPP
Dyn‐Update
HTTPS
newmethod
NoRegistrar,outsourcedDNS
Oct8,2009 [email protected] 29
gTLDRegistrant
ChildDNS
Operator
DNSSub‐system
Dyn‐Update
newmethod
ReverseMap
Oct8,2009 [email protected] 30
RIRLIR/ISPCustomer
ChildReverseMap
in‐addr/ipv6DNS
LIRReverseMap
UnsignedRegistry,mulOpleTAR(s)
Oct8,2009 [email protected] 31
RegistryRIR
RegistrarLIR
Registrant
ParentOperator
TAR/TAROps
ChildOperator
TAR/TAROps
SoluOonsareTempOng
• AfewproposedsoluOonshavebeenoutthere• Someclaimoutforyears
• Butthere'sbeennogoodcutatrequirements
• WhendoweneedasoluOon?– Ofcoursenow,but,let'ssolvetherightproblem
Oct8,2009 [email protected] 32
UlOmately
• Astandardcan'tbemandatedforallenvironments,butweneedtohaveageneralpurposesoluOon
• OrwewillconOnuetohaveissues• Onlyastandardwillgrow
Oct8,2009 [email protected] 33
I'mDone
• Thisisthelastslide– I'mnotevengoingto"ask"iftherearequesOons.
– Discussionsareboundtofollow...maybenotrightnowinthemeeOng,butlater
Oct8,2009 [email protected] 34