KSK Roll Prepping: RFC 5011 - RIPE 71KSK Roll Prepping: RFC 5011 Presented at RIPE 71 DNS WG |...
Transcript of KSK Roll Prepping: RFC 5011 - RIPE 71KSK Roll Prepping: RFC 5011 Presented at RIPE 71 DNS WG |...
KSK Roll Prepping: RFC 5011 Presented at RIPE 71 DNS WG | November 19, 2015
Intro• ICANNispreparingtorolltheRootZoneKSK– ICANNperformsthemanagementoftherootzoneKSKaspartoffulfillingtheIANAFunc=onsContract,managedbytheUSDepartmentofCommerce'sNa=onalTelecommunica=onsandInforma=onAdministra=on(NTIA);withcoopera=onfromVerisign,theRootZoneMaintainer
• TheRootZoneKSKistheDNSSECtrustanchor
2
Background• FromRIPE70:RootZoneKSKRollover– hTps://ripe70.ripe.net/archives/video/86/
• Ateamofsevenvolunteerexperts,alongwithICANN,NTIA,andVerisign,areinves=ga=ngtheissues
• Centraltothediscussionsisthebuzzword"RFC5011"
3
TheVolunteers• Theexternalvolunteersare:– JoeAbley– JaapAkkerhuis– JohnDickinson– GeoffHuston– OndrejSury– PaulWouter– YoshiroYoneya
4
StateofthePlans• Theplanfortherollisnotfinalized– Proposedsetsofac=onsarebeinganalyzed– Consensushasn'tbeenreachedquiteyet
• But,whatisbecomingclearis– WhatissaidinRFC5011willplayabigrole
5
Agenda• Whatis"RFC5011?"• ManagingRFC5011
• Followingthe"spiritoftheprotocol"?
• WhatICANNwilllikelydo
6
RFC5011• AutomatedUpdatesofDNSSecurity(DNSSEC)TrustAnchors– PublishedSeptember2007– PublishedasSTD74January2013
• Fullcita=on– StJohns,M.,"AutomatedUpdatesofDNSSecurity(DNSSEC)TrustAnchors",STD74,RFC5011,DOI10.17487/RFC5011,September2007,<hTp://www.rfc-editor.org/info/rfc5011>.
7
From5011'sAbstractThisdocumentdescribesameansforautomated,authen=cated,andauthorizedupda=ngofDNSSEC"trustanchors"....Basedonthetrustestablishedbythepresenceofacurrentanchor,otheranchorsmaybeaddedatthesameplaceinthehierarchy,and,ul=mately,supplanttheexis=nganchor(s)....
8
SummaryofRFC5011• Toaddatrustanchor– AddanewDNSKEYrecord,signwithallKSK– Amer30daysofseeingit,assumeit'strusted– IftheDNSKEYdisappears,forgetitwaseverseen
• OncetheKSKistrusteditstaystrustedun=lrevoked– Ifitgoesmissing,itistrustedbutunusableun=litre-appears
9
PhilosophyBehind5011• Anestablishedtrustanchorisusedtointroducethenextone
• Ifacandidateappearsandthereareno"complaints"(removals,denials)fortheaddhold-down,thetrustanchorisgood– Addhold-downis30days
10
RFC5011States
11
• RFC5011describesstatesofthekeys– Fromintroduc=ontoremovalofthetrustanchor– Thestatesarethe"norma=ve"defini=onoftheprocess
• Examples– Thoughttobecommonusecases
ToolsupportforRFC5011• VariousDNScachingresolvershaveimplementedandtestedRFC5011– Consumerside– BIND,Unbound,Microsom,Nominum,etc.
• SometrustanchoroperatorsalreadyfollowRFC5011– Producerside– Noreportsofdisaster!
12
So,WhyTalkAbout5011?• OneareaofconcernisthemanageabilityofRFC5011
• Theotherareaofconcernishow(orwhether)an(consumer)operatorchoosestofollowRFC5011– Operatorofarecursiveserver
13
ManageabilityofRFC5011• Designedtohave“handsoff”configura=onoftheresolver– Abreakincurrentmodelofopera=ngaresolver– Someinsightisneededtomonitortheopera=ons
• Itisimpossibletotell,remotely,whetheraresolverwillorhasfollowedanRFC5011statechange
• RFC5011isnotdesignedtoberemotelymeasured
14
IETF• WithintheIETFtherearedramsaddressingthelackofremoteverifica=on– Probablywon'tbeinplaceforfirstKSKroll– hTps://datatracker.ier.org/doc/dram-wessels-edns-key-tag/
– hTps://tools.ier.org/html/dram-wkumari-dnsop-trust-management-01
• Reviewthem,please!
15
WithoutManageability• It'snotpossibletoremotelyknowthestateofa(consuming)validator'schosentrustanchors
• Thetrustanchorowners(producers)arelimitedtopublicizethetrustanchorchanges
• Thetrustanchorownerscanes=mateacceptanceofthenewkey,post-event
16
(Consumer)Operator'sChoice• RFC5011"inprotocol"– DependsonDNStoolstoimplementRFC5011– Reliesontheintendedautoma=on
• RFC5011"inspirit"– Dependsonanoperatorfollowingthestatemachineof5011externaltotheDNStools
– Reliesonanoperatorac=vely"playingalongathome"
17
Why"5011inSpirit"• CentralizedConfigura=onManagement– Managingafleetofservers,buzz:virtualiza=on– Wanttopushoutacentrallymanaged,commonconfigura=ontoservers
• EdgeserversnotpermiTedtoself-configure– 5011inprotocolisnotanop=on
18
WillThisWork?• Certainly
• The(consumer)operatorneedstofollowtheRFC5011statesasdocumented
19
CrucialElements• Timingofchecks– 5011specifiesthefrequencyaclientpollsaserverfortrustanchorstates
• Adherencetohold-down=mers– PayaTen=ontotheaddandrevoke=mers
• Adherencetostates– Whenatrustanchorismissing,it'snotrevoked
20
HowMightICANNWalk5011?• Theplanisnotfinalyet,perhapsthis:
Start AddPend
Valid Missing
Revoked Removed21
What'sSpecial?• Althoughnottheso-callednormalpath,trustanchorsmaygo"Missing"forashort=me– ToaccommodateascheduledZSKrollac=onthatwouldotherwisecausealarge-ishresponsetoaDNSKEYrequestfortherootzonekeys
– Anefforttolimitfragmenta=onconcerns
22
Whatelsecanhelpoperators?• hTps://www.iana.org/dnssec/files• (IETFdocumentintheworkstodescribe)– hTps://tools.ier.org/html/dram-jabley-dnssec-trust-anchor-12
• Thishasa"snapshot"oftrustanchors(includingthosewhenmissing)foruseasasecondsource
23
Recommenda=onforOperators• Buildtrustonmanydifferentsources
• RFC5011inprotocolorinspiritisoneway
• Findasmanymeanstogettherootkeythatdonotsharethesamefate!– Whatyoutrustisuptoyou
24
WhatWillHappen?• Plansarenotfinalyet• AdheretoRFC5011'sprotocol• Con=nuetopublishnewkeysoutsidetheDNSfollowingthespiritofRFC5011
• Publicizetheeventwellinadvance,mindingprepara=on=me
• Workinconcertwithimpactedpar=estoavoidtrouble=ckets
25
Whatwillhelp?• Knowingwhoneedstobeinformed– Buildingacontactlistofthosewho"pullthelevers"
• Knowinghowoperatorsestablishtrust– Whatthirdpar=esaretrusted,howmanyareneeded?
• Knowinghowtogaugereadinesstoroll
26
Formoreinforma=on• Jointhemailinglist– hTps://mm.icann.org/mailman/lis=nfo/root-dnssec-announce
• FollowonTwiTer– Hashtag:#KeyRollover– Follow@ICANNtechforthemostuptodatenews
27
28
SupplementalSlides
29
WhenWillAllThisHappen?• Don'tknowyet.
• "It'scomplicated."
• Butwearepreparingforthechange.
30
RFC5011StateMachine
Start AddPend
Valid Missing
Revoked Removed31
RFC5011StateMachine(Intro)
Start AddPend
• Whenacandidateappearsa=merstarts• Ifcandidatedisappearsbefore=merexpires– Startover
• This=meristheaddhold-down=mer
32
ADD
DISAPPEAR
RFC5011StateMachine(Trust)
AddPend
Valid
• Ifthe=merexpires,thecandidatebecomesatrustanchor
33
TIMEREXPIRES
RFC5011StateMachine(Missing)
Valid Missing
• IfatrustanchorgoesmissingfromtheDNSKEYset,itissimplyjustmissing– Notrevoked,notinvalidated,justsleepingordormant
34
DISAPPEARS
RE-APPEARS
RFC5011StateMachine(Revoke)
Valid Missing
Revoked
• Ifatrustanchorappears(orreappears)withitsrevokebitset(andissigned,etc.)thekeymovestoarevokedstate– A=merisstarted,removehold-down
35
REVOKEBIT
RFC5011StateMachine(Remove)
Revoked Removed
• Whenthefinal=merexpires– ThetrustanchorisforgoTen
36
TIMEREXPIRES