Increasing the Zone Signing Key Size for the Root Zone

Slides:



Advertisements
Similar presentations
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Advertisements

Domain Name System: DNS
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.
Geoff Huston APNIC Labs
Chapter 17 Domain Name System
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.
Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.
What if Everyone Did It? Geoff Huston APNIC Labs.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
EDNS0 - the need for speed Lawrence Conroy Roke Manor Research This draft has been produced by Lawrence Conroy
Rolling the Root Geoff Huston APNIC Labs March 2016.
LAN Bridge Spanning Tree Animation Simon Arlott. Broadcast Networks ● In a broadcast LAN, all packets are sent to all hosts – even if they are not the.
BGPSEC Protocol (From -01 to -02 and on to -03) Matt Lepinski.
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
NETSTORM.
A longitudinal, End-to-End View of the DNSSEC Ecosystem
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Department Contact Training
Geoff Huston APNIC Labs
Root Zone KSK Rollover: delay and next steps
DNSSEC Operations in .gov
Geoff Huston APNIC Labs September 2017
Advanced Technical Writing
Root Zone KSK Rollover Update
DNSSEC made simple. DNSSEC made simple ~]$ whoami Emil Natan, CTO, ISOC-IL.
DNS Cache Poisoning Attack
RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •
Integrated ILL GUI desktop
DNSSEC Iván González Montemayor A
A Longitudinal, End-to-End View of the DNSSEC Ecosystem
Dissemination Workshop for African countries on the Implementation of International Recommendations for Distributive Trade Statistics May 2008,
DNS security.
R. Kevin Oberman ESnet February 5, 2009
Chapter 19 Domain Name System (DNS)
draft-zhang-dnsext-test-result-00
Yeti DNS: Status after a Year
Chapter 23 Introduction To Transport Layer
Managing Name Resolution
Teaching Computing to GCSE
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
FAFSA-Apply Today! Presented by McDaniel College.
Measuring KSK Roll Readiness
Digital Certificates and X.509
Geoff Huston APNIC Labs
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Measuring KSK Roll Readiness
Modern Systems Analysis and Design Third Edition
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
Domain Name System: DNS
DNSSEC Status Update in UA
Banafsheh Hajinasab Based on presentation by K. Strnisa, Cosylab
The Curious Case of the Crippling DS record
Trust Anchor Signals from Custom Applications
.uk DNSSEC Status update
Chapter 9 Graph algorithms
ECDSA P-256 support in DNSSEC-validating Resolvers
Modern Systems Analysis and Design Third Edition
Neda Kianpour - Lead Network Engineer - Salesforce
Presentation transcript:

Increasing the Zone Signing Key Size for the Root Zone Duane Wessels DNS-OARC 24, Buenos Aires April 1, 2016

Presentation Outline Current root zone DNSSEC parameters Schedule Change details Consequences of a 2048-bit ZSK Fallback plan

Initialisms KSK Key Signing Key Operated by IANA/ICANN ZSK Zone Signing Key Operated by Verisign KSR Key Signing Request XML-formatted bundle of keys to be signed SKR Signed Key Response XML-formatted bundle of signatures

This is not the KSK Rollover You may have recently heard about work underway to roll the root zone Key Signing Key (aka Trust Anchor). That’s not what this is. Verisign is working closely with the other Root Zone Management partners to ensure that the ZSK length change does not coincide with other activity that would increase the root zone DNSKEY response size.

Current DNSSEC parameters KSK ZSK Algorithm 8 Size 2048-bits 1024-bits Rolled (not yet*) quarterly Re-sign period 10 days 12 hours Signature validity 15 days Signs DNSKEYs everything else ZSK size will be increased to 2048-bits No other parameters will be changed *Sticklers will bring up the DURZ transition in 2010

Schedule Date Milestone 2016-04-15 Testing between ICANN and Verisign 2016-05-12 KSK ceremony #25; sign 2016Q3 ZSKs 2016-08-11 KSK ceremony #26; sign 2016Q4 ZSKs 2016-09-21 First 2048-bit ZSK pre-published in root zone 2016-10-01 Root zone signed with 2048-bit ZSK

Schedule This is a graphic representation of the schedule, showing KSK ceremonies and the publication of keys signed at each ceremony.

Schedule Highlighted area shows the first time a 2048-bit key is published in the root zone. This key is signed at Root KSK Ceremony in Q2 (May).

Rollover Details

The ZSK Rollover Process ZSK is Rolled quarterly Quarter is divided into 9 slots of 10 days each Sometimes the 9th slot is longer The DNSKEY RRSIG record changes in each slot Uses pre-publish technique Incoming ZSKs pre-published for one slot (9th slot) Outgoing ZSKs post-published for one slot (1st slot) Size of DNSKEY response message increased due to pre-/post-publish

DNSKEY response size increase DNSKEY response size increase As background, first we describe the normal quarterly rollover process. Point out on the diagram: quarters, slots, colored boxes represent DNSKEY RRSIGs, pre- and post-publish Note size of DNSKEY response message increases on quarter boundaries due to pre-/post-publish, but only one key signs at a time so other responses do not increase in size.

post-published through slot 3. Old 1024-bit ZSK will be post-published through slot 3. Key points: very much like normal 1024 rollover, except we introduce 2048-bit key (light green box) the outgoing 1024-bit key will be post-published for longer than normal (3 slots instead of 1) DNSKEY response size will be larger with 2048-bit keys. We’ll talk about that later.

1024-2048 Rollover Much like normal 1024 rollover Except longer post-publish period for outgoing 1024-bit key ...just in case Say more about the longer post-publish and “just in case” when talking about fallback later in the presentation.

Consequences of a 2048-bit ZSK

Size of Signed DNSKEY Response DNSKEY response size changes throughout this process Normal (non-roll) size increases from 736 to 864 octets ZSK rollover size increases from 883 to 1138 octets Future KSK revoke size would be 1425 octets The bars in this chart are ordered by time that these events would occur, starting at the top with a normal 1024 ZSK and ending at the bottom with a 2048-2048 rollover.

Size of Other Signed Responses All non-DNSKEY RRSets are signed by the ZSK DO=1 responses will be larger 1024-bit ZSK signature (RRSIG) : 159 octets 2048-bit ZSK signature (RRSIG) : 287 octets But its not that simple.... We replayed real query logs to various DNSSEC configurations to understand traffic impacts

Measurement Methodology Captured 10 minutes of queries sent to a.root-servers.net Signed a root zone with various DNSSEC configurations Replayed traffic over both UDP and TCP Including client EDNS0 UDP message sizes and DO flag values Recorded the response size, TC flag, etc.

Quick Stats Zone File Input Trace: SOA Serial 2016022401 February 24, 2016 22:00:00 -- 22:10:00 UTC (10 minutes duration) 40,993,338 IP packets captured 37,494,153 DNS UDP queries captured 62,490 queries/second A-root sites: NYC3, LON3, LAX2, FRA1, HKG5

Fragmentation Essentially zero fragmentation. Only responses to “ANY” queries exceed the fragmentation limit. Very few of those in the input trace.

Truncation -- DNSKEY This shows how many DNSKEY responses would be returned with TC=1 in a UDP response. The difference between “1024 normal” and “1024-1024 roll” is about 150 bytes, but it is enough to result in much more truncation.

Truncation -- All Taking all responses together (not just DNSKEY responses) the level of truncation really only depends on the size of the ZSK. In the “1024-2048 pre pub” mode (red) we are still signing with the 1024-bit key. whereas in the “1024-2048 post pub” mode (brown) we are now signing with the 2048-bit key.

Response Size Distribution The size of the key used for signing determines the difference in response sizes. Lines with the same signing key size are stacked on top of each other. Similar to previous slide, the size distribution only depends on the size of the ZSK.

Bandwidth This is the bandwidth measured by the simulation for a single root server letter (A). This is mostly of interest to root server operators. Their response bandwidth will increase noticeably due to the 2048-bit ZSK

Fallback Plan

Need for Fallback We fully expect the length change to occur without incident However, unforeseen problems may be beyond our control Should it be necessary, we are prepared to revert to a “known good state” i.e. a 1024-bit ZSK In fact the exact same 1024-bit key just prior to the length change

Dual KSRs / SKRs In support of this fallback plan, ICANN will sign two KSRs at two root KSK ceremonies: The 2048-bit ZSK plus associated post-publish and pre-publish keys The fallback 1024-bit ZSK

This is much like a slide shown earlier, except now we also so the fallback KSR at the bottom

Point out that we plan to reuse the Q3 key as the Q4 fallback key.

The green boxes show the sets of keys that will be submitted for signing at the May ceremony

And blue shows the key sets that will make up the two KSRs at the August ceremony

Fallback Criteria Something unforeseen Something very serious Something that can not be solved by (temporarily) disabling DNSSEC validation

Important Milestones Introduction of 2048-bit ZSK to zone (pre-publish) Slot 9 of Q3 Zone signed by 2048-bit ZSK Slot 1 of Q4 Cached RRSIGs will expire over the course of a few days Removal of old 1024-bit ZSK (end of post-publish) Point of No Return

A “Slot 9” Fallback If a problem arises during the slot 9 2048-bit pre-publish phase: Simply un-publish the 2048-bit ZSK from the root zone Publish only the current 1024-bit ZSK Continue signing with the current 1024-bit ZSK There will be no ZSK roll for the next calendar quarter

A “Slot 1” Fallback If a problem arises during slot 1 after signing with the 2048- bit ZSK: Revert to signing with the old 1024-bit ZSK It is still being published When to remove 2048-bit ZSK from zone depends on nature and severity of problem

Questions?