KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Slides:



Advertisements
Similar presentations
Lampasas ISD Technology Updates Network Administrator
Advertisements

Tivoli Service Request Manager
Windows XP System Restore July 22 nd, 2006 CAEUG Meeting.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
Installing and Troubleshooting Hardware Device and Drivers Chapter 6 powered by dj.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
IANA Department Activities, RIPE 66, Dublin, Ireland May 2013 Elise Gerich.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.
How to fix Error code 0x80072ee2 in Windows 8.1? Fix%20%20Update%20Error%200x80072EE2%20in%20Windows%20 8.1,%20Windows%2010!%20-%20Fix%20PC%20Errors.htm.
TELEPORT PRO Website to Hard Drive Completely download a website, enabling you to “Browse Offline” at much greater speeds than if you were to browse the.
Windows 10 Common VPN Error Tech Support Number
Fix The Streaming problems with Roku Mobile Application. For more details visit our website
Security Issues with Domain Name Systems
Rolling the Root Zone DNSSEC Key Signing Key
SaudiNIC Riyadh, Saudi Arabia May 2017
DNS Team IETF 99 Hackathon.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Cisco Data Virtualization
Community Session - Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS
Not Tested and Void Test Score Codes
Information Security.
Root Zone KSK Rollover: delay and next steps
Get the Most Out of GoAnywhere: Agents
QuickServe Online Training
Geoff Huston APNIC Labs September 2017
Module 8: Securing Network Traffic by Using IPSec and Certificates
Root Zone KSK Rollover Update
draft-huston-kskroll-sentinel
BTEC NCF Dip in Comp - Unit 15 Website Development Lesson 12 – Publish and Test Mr C Johnston.
R. Kevin Oberman ESnet February 5, 2009
Exchange OST Recovery Freeware Tool. Index Introduction What is OST File? Reasons for OST file corruption Possible ways to fix OST file corruption issue.
Online Guidance is Available to Repair HP Scanner
A high-tech accounting software, QuickBooks is a highly trusted software by small and medium sized business. It streamlines accounting processes of a.
ICANN62 GAC Capacity Building
DHCP, DNS, Client Connection, Assignment 1 1.3
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
.edu DNSSEC Testbed Lessons Learned
GAC Underserved Regions Working Group Meeting
Finance Presentations
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
What DNSSEC Provides Cryptographic signatures in the DNS
Fault Tolerance Distributed Web-based Systems
Measuring KSK Roll Readiness
Contents subject to change.
How to Fix Brother Printer Offline Status with Free Brother Printer Support? VISIT WEBSITE.
Geoff Huston APNIC Labs
Coordinate Operations Standard
Module 8: Securing Network Traffic by Using IPSec and Certificates
Measuring KSK Roll Readiness
Engineering Processes
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
Welcome to the .vu ccTLD news
Defining the scope of the ccNSO
The Curious Case of the Crippling DS record
Trust Anchor Signals from Custom Applications
SBS 2008 – One year on David Overton
OU BATTLECARD: Oracle Identity Management Training
Presentation transcript:

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting 26 June 2017

KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS  Security Extensions (DNSSEC) Key Signing Key (KSK) rollover The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy The KSK is a cryptographic public-private key pair: Public part: trusted starting point for DNSSEC validation Private part: signs the Zone Signing Key (ZSK) Builds a “chain of trust” of successive keys and signatures to validate the authenticity of any DNSSEC signed data DATA This is a stylized agenda slide for your presentation. To delete a box, if there are too many boxes, click the edge of the box, ensure the entire box is highlighted, then DELETE. To update the numbers and text, click inside the circle for the numbers or in the box for the text, revise the text.

Why is ICANN Rolling the KSK? As with passwords, the cryptographic keys used in DNSSEC- signing DNS data should be changed periodically Ensures infrastructure can support key change in case of emergency This type of change has never before occurred at the root level There has been one functional, operational Root Zone DNSSEC KSK since 2010 The KSK rollover must be widely and carefully coordinated to ensure that it does not interfere with normal operations

When Does the Rollover Take Place? The KSK rollover is a process, not a single event The following dates are key milestones in the process when end users may experience interruption in Internet services: ICANN is executing an extensive outreach campaign to ensure that those who currently use the KSK know about the pending change

Who Will Be Impacted? DNS Software Developers & Distributors System Integrators Network Operators Internet Service Providers End Users (if no action taken by resolver operators) ICANN is executing an extensive outreach campaign to ensure that those who currently use the KSK know about the pending change Root Server Operators

Why You Need to Prepare If you have enabled DNSSEC validation, you must update your systems with the new KSK to help ensure trouble-free Internet access for users Currently, 25 percent of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet ICANN is executing an extensive outreach campaign to ensure that those who currently use the KSK know about the pending change

What Do Resolver Operators Need to Do? Be aware whether DNSSEC is enabled in your servers Be aware of how trust is evaluated in your operations Test/verify your set ups Make sure trust anchor can be changed Inspect configuration files, are they (also) up to date? If DNSSEC validation is enabled or planned in your system Have a plan for participating in the KSK rollover Know the dates, know the symptoms, solutions This is a stylized agenda slide for your presentation. To delete a box, if there are too many boxes, click the edge of the box, ensure the entire box is highlighted, then DELETE. To update the numbers and text, click inside the circle for the numbers or in the box for the text, revise the text.

How To Update Your System If your software supports automated updates of DNSSEC trust anchors (RFC 5011): If your software does not support automated updates of DNSSEC trust anchors (RFC 5011) or is not configured to use it: The KSK will be updated automatically at the appropriate time You do not need to take additional action Devices that are offline during the rollover will have to be updated manually if they are brought online after the rollover is finished The software’s trust anchor file must be manually updated The new root zone KSK is now available here after March 2017: ICANN is executing an extensive outreach campaign to ensure that those who currently use the KSK know about the pending change Root Anchors data.iana.org/ root-anchors/

Check to See If Your Systems Are Ready ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: go.icann.org/KSKtest Automated Trust Anchor Update Testbed The root zone Key Signing Key (KSK) is changing, or rolling, on 11 October 2017. Operators of recursive resolvers with DNSSEC validation enabled will need to ensure that their systems are updated with the new root zone KSK configured as a trust anchor before that date. If a recursive resolver supports RFC 5011, “Automated Updates of DNS Security (DNSSEC) Trust Anchors”, and this feature is properly configured, the new KSK should automatically be installed as a trust anchor and DNSSEC validation should continue without problems. If a validating resolver’s implementation or configuration of the RFC 5011 automated trust anchor update protocol is incorrect for any reason, then its configuration might not be properly updated during the root zone KSK roll and resolution would fail after 11 October 2017. This testbed allows operators of validating resolvers to test their implementation and confirm its ability to properly follow a KSK roll and update its trust anchor configuration. This test protocol assumes that you understand the upcoming KSK change, and at least some about RFC 5011. Purpose of This Testbed Allow resolver operator to test RFC 5011 support Operates in real time. Should not affect the resolver’s normal operation. The testbed starts a KSK roll in a new zone each week. For example, the current zone name is 2017-06- 25.automated-ksk-test.research.icann.org.

Three Steps to Recovery If your DNSSEC validation fails after the key role: Stop the tickets It's OK to turn off DNSSEC validation while you fix (but remember to turn it back on!) Debug If the problem is the trust anchor, find out why it isn't correct Did RFC 5011 fail? Did configuration tools fail to update the key? If the problem is fragmentation related, make sure TCP is enabled and/or make other transport adjustments Test the recovery Make sure your fixes take hold This is a stylized agenda slide for your presentation. To delete a box, if there are too many boxes, click the edge of the box, ensure the entire box is highlighted, then DELETE. To update the numbers and text, click inside the circle for the numbers or in the box for the text, revise the text.

Our “Ask” of you Use ICANN’s testing platform to confirm that your validating infrastructure supports the ability to handle the rollover without manual intervention. Platform at go.icann.org/KSKtest Help us increase awareness of the key change throughout your communities. Awareness will assure the roll goes smoothly

https://icann.org/kskroll For More Information Join the conversation online Use the hashtag #KeyRoll Sign up to the mailing list https://mm.icann.org/listinfo/ksk-rollover Ask a question to globalsupport@icann.org Subject line: “KSK Rollover” Attend an event Visit https://features.icann.org/calendar to find upcoming KSK rollover presentations in your region Learn more https://icann.org/kskroll

Engage with ICANN – Thank You and Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.