KSK Roll Prepping: RFC 5011 Presented at RIPE 71 DNS WG | November 19, 2015

Intro•  ICANNispreparingtorolltheRootZoneKSK–  ICANNperformsthemanagementoftherootzoneKSKaspartoffulfillingtheIANAFunc=onsContract,managedbytheUSDepartmentofCommerce'sNa=onalTelecommunica=onsandInforma=onAdministra=on(NTIA);withcoopera=onfromVerisign,theRootZoneMaintainer

•  TheRootZoneKSKistheDNSSECtrustanchor

2

Background•  FromRIPE70:RootZoneKSKRollover– hTps://ripe70.ripe.net/archives/video/86/

•  Ateamofsevenvolunteerexperts,alongwithICANN,NTIA,andVerisign,areinves=ga=ngtheissues

•  Centraltothediscussionsisthebuzzword"RFC5011"

3

TheVolunteers•  Theexternalvolunteersare:–  JoeAbley–  JaapAkkerhuis–  JohnDickinson– GeoffHuston– OndrejSury– PaulWouter– YoshiroYoneya

4

StateofthePlans•  Theplanfortherollisnotfinalized– Proposedsetsofac=onsarebeinganalyzed– Consensushasn'tbeenreachedquiteyet

•  But,whatisbecomingclearis– WhatissaidinRFC5011willplayabigrole

5

Agenda•  Whatis"RFC5011?"•  ManagingRFC5011

•  Followingthe"spiritoftheprotocol"?

•  WhatICANNwilllikelydo

6

RFC5011•  AutomatedUpdatesofDNSSecurity(DNSSEC)TrustAnchors–  PublishedSeptember2007–  PublishedasSTD74January2013

•  Fullcita=on–  StJohns,M.,"AutomatedUpdatesofDNSSecurity(DNSSEC)TrustAnchors",STD74,RFC5011,DOI10.17487/RFC5011,September2007,<hTp://www.rfc-editor.org/info/rfc5011>.

7

From5011'sAbstractThisdocumentdescribesameansforautomated,authen=cated,andauthorizedupda=ngofDNSSEC"trustanchors"....Basedonthetrustestablishedbythepresenceofacurrentanchor,otheranchorsmaybeaddedatthesameplaceinthehierarchy,and,ul=mately,supplanttheexis=nganchor(s)....

8

SummaryofRFC5011•  Toaddatrustanchor– AddanewDNSKEYrecord,signwithallKSK– Amer30daysofseeingit,assumeit'strusted–  IftheDNSKEYdisappears,forgetitwaseverseen

•  OncetheKSKistrusteditstaystrustedun=lrevoked–  Ifitgoesmissing,itistrustedbutunusableun=litre-appears

9

PhilosophyBehind5011•  Anestablishedtrustanchorisusedtointroducethenextone

•  Ifacandidateappearsandthereareno"complaints"(removals,denials)fortheaddhold-down,thetrustanchorisgood– Addhold-downis30days

10

RFC5011States

11

•  RFC5011describesstatesofthekeys– Fromintroduc=ontoremovalofthetrustanchor– Thestatesarethe"norma=ve"defini=onoftheprocess

•  Examples– Thoughttobecommonusecases

ToolsupportforRFC5011•  VariousDNScachingresolvershaveimplementedandtestedRFC5011– Consumerside– BIND,Unbound,Microsom,Nominum,etc.

•  SometrustanchoroperatorsalreadyfollowRFC5011– Producerside– Noreportsofdisaster!

12

So,WhyTalkAbout5011?•  OneareaofconcernisthemanageabilityofRFC5011

•  Theotherareaofconcernishow(orwhether)an(consumer)operatorchoosestofollowRFC5011– Operatorofarecursiveserver

13

ManageabilityofRFC5011•  Designedtohave“handsoff”configura=onoftheresolver– Abreakincurrentmodelofopera=ngaresolver–  Someinsightisneededtomonitortheopera=ons

•  Itisimpossibletotell,remotely,whetheraresolverwillorhasfollowedanRFC5011statechange

•  RFC5011isnotdesignedtoberemotelymeasured

14

IETF•  WithintheIETFtherearedramsaddressingthelackofremoteverifica=on– Probablywon'tbeinplaceforfirstKSKroll– hTps://datatracker.ier.org/doc/dram-wessels-edns-key-tag/

– hTps://tools.ier.org/html/dram-wkumari-dnsop-trust-management-01

•  Reviewthem,please!

15

WithoutManageability•  It'snotpossibletoremotelyknowthestateofa(consuming)validator'schosentrustanchors

•  Thetrustanchorowners(producers)arelimitedtopublicizethetrustanchorchanges

•  Thetrustanchorownerscanes=mateacceptanceofthenewkey,post-event

16

(Consumer)Operator'sChoice•  RFC5011"inprotocol"– DependsonDNStoolstoimplementRFC5011– Reliesontheintendedautoma=on

•  RFC5011"inspirit"– Dependsonanoperatorfollowingthestatemachineof5011externaltotheDNStools

– Reliesonanoperatorac=vely"playingalongathome"

17

Why"5011inSpirit"•  CentralizedConfigura=onManagement– Managingafleetofservers,buzz:virtualiza=on– Wanttopushoutacentrallymanaged,commonconfigura=ontoservers

•  EdgeserversnotpermiTedtoself-configure– 5011inprotocolisnotanop=on

18

WillThisWork?•  Certainly

•  The(consumer)operatorneedstofollowtheRFC5011statesasdocumented

19

CrucialElements•  Timingofchecks– 5011specifiesthefrequencyaclientpollsaserverfortrustanchorstates

•  Adherencetohold-down=mers– PayaTen=ontotheaddandrevoke=mers

•  Adherencetostates– Whenatrustanchorismissing,it'snotrevoked

20

HowMightICANNWalk5011?•  Theplanisnotfinalyet,perhapsthis:

Start AddPend

Valid Missing

Revoked Removed21

What'sSpecial?•  Althoughnottheso-callednormalpath,trustanchorsmaygo"Missing"forashort=me– ToaccommodateascheduledZSKrollac=onthatwouldotherwisecausealarge-ishresponsetoaDNSKEYrequestfortherootzonekeys

– Anefforttolimitfragmenta=onconcerns

22

Whatelsecanhelpoperators?•  hTps://www.iana.org/dnssec/files•  (IETFdocumentintheworkstodescribe)– hTps://tools.ier.org/html/dram-jabley-dnssec-trust-anchor-12

•  Thishasa"snapshot"oftrustanchors(includingthosewhenmissing)foruseasasecondsource

23

Recommenda=onforOperators•  Buildtrustonmanydifferentsources

•  RFC5011inprotocolorinspiritisoneway

•  Findasmanymeanstogettherootkeythatdonotsharethesamefate!– Whatyoutrustisuptoyou

24

WhatWillHappen?•  Plansarenotfinalyet•  AdheretoRFC5011'sprotocol•  Con=nuetopublishnewkeysoutsidetheDNSfollowingthespiritofRFC5011

•  Publicizetheeventwellinadvance,mindingprepara=on=me

•  Workinconcertwithimpactedpar=estoavoidtrouble=ckets

25

Whatwillhelp?•  Knowingwhoneedstobeinformed– Buildingacontactlistofthosewho"pullthelevers"

•  Knowinghowoperatorsestablishtrust– Whatthirdpar=esaretrusted,howmanyareneeded?

•  Knowinghowtogaugereadinesstoroll

26

Formoreinforma=on•  Jointhemailinglist– hTps://mm.icann.org/mailman/lis=nfo/root-dnssec-announce

•  FollowonTwiTer– Hashtag:#KeyRollover– Follow@ICANNtechforthemostuptodatenews

27

28

SupplementalSlides

29

WhenWillAllThisHappen?•  Don'tknowyet.

•  "It'scomplicated."

•  Butwearepreparingforthechange.

30

RFC5011StateMachine

Start AddPend

Valid Missing

Revoked Removed31

RFC5011StateMachine(Intro)

Start AddPend

•  Whenacandidateappearsa=merstarts•  Ifcandidatedisappearsbefore=merexpires– Startover

•  This=meristheaddhold-down=mer

32

ADD

DISAPPEAR

RFC5011StateMachine(Trust)

AddPend

Valid

•  Ifthe=merexpires,thecandidatebecomesatrustanchor

33

TIMEREXPIRES

RFC5011StateMachine(Missing)

Valid Missing

•  IfatrustanchorgoesmissingfromtheDNSKEYset,itissimplyjustmissing– Notrevoked,notinvalidated,justsleepingordormant

34

DISAPPEARS

RE-APPEARS

RFC5011StateMachine(Revoke)

Valid Missing

Revoked

•  Ifatrustanchorappears(orreappears)withitsrevokebitset(andissigned,etc.)thekeymovestoarevokedstate– A=merisstarted,removehold-down

35

REVOKEBIT

RFC5011StateMachine(Remove)

Revoked Removed

•  Whenthefinal=merexpires– ThetrustanchorisforgoTen

36

TIMEREXPIRES