Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015.

Slides:



Advertisements
Similar presentations
IANA Update LACNIC XV, Canún May Agenda 2 DNSSEC RZM automation NOI Business Excellence.
Advertisements

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
ICANN’s Preparedness for Signing the Root September 24, 2008 DNS OARC Meeting, Ottawa, CA
IANA Status Update ARIN XXVI meeting, Atlanta Barbara Roseman October 2010.
IANA Update APNIC 31, Hong Kong February Agenda 2 Addressing DNSSEC Root management Continuity Exercise Business Excellence.
EEMA’s pki Challenge Paul Green – VeriSign and pkiC testing participant.
Survey of DNSSEC Lutz Donnerhacke DNSSEC Meeting ( )
GIS Needs Assessment Project Final Presentation Presented to: The Lower Adirondack GIS Users Group Presented by: Sara Frankenfeld fountains spatial, inc.
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
Technical Area Report Bryon Ellacott, Technical Area Manager APNIC 28.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
1 Updated as of 1 July 2014 About ICANN KISA-ICANN Language Localisation Project Module 1.1.
1 Revised: April 29, What is a Web Domain?  A HOSTNAME that identifies one or more IP addresses (web servers)  IP address (Internet Protocol)
IANA Activities Update RIPE 68 Warsaw, Poland May 2014.
Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.
Implementing a Calibration Management System Cory Otto Principal Metrology Engineer, Boston Scientific 10 October 2012.
1 ARIN: Mission, Role and Services John Curran ARIN President and CEO.
IANA Governance Changes – NANOG 62 Lightning Talk John Curran, ARIN.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
IANA Department Activities, RIPE 66, Dublin, Ireland May 2013 Elise Gerich.
CORE Executive Board March 31, 2010 Next CEB April 28, 2010.
Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
Update from ICANN staff on SSR Activities Greg Rattray Tuesday 21 st 2010.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
Internet and Intranet RMUTT, Course Outline 1 st half –Internet overview –TCP/IP protocol –Applications in TCP/IP network 2 nd half –JSP programming.
© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.
Internet Corporation for Assigned Names & Numbers Update on ITAR Elise Gerich Vice President, IANA.
Technical Area Report Byron Ellacott Technical Area Manager.
Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015
Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.
IANA Activities Update, ARIN 31, Bridgetown, BB April 2013 Selina Harrington.
Health Agenda Goal # 9f School Wellness Teams Progress to Date List activities in school year that were reflective of this goal as a priority.
NUOL Internet Application Services Midterm presentation 22 nd March, 2004.
© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested
How to use DNS during the evolution of ICN? Zhiwei Yan.
Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.
Segment 6: Provider Communication California ICD-10 Site Visit Training segments to assist the State of California with the ICD-10 Implementation June.
CONNECTICUT REGIONAL VOCATIONAL-TECHNICAL SCHOOL SYSTEM 07/03/03 Trade Technology Advisory Committee Procedures.
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Workshop Madison, Wisconsin, U.S.A., July 19 th 2006.
Developing a DNSSEC Policy The Compulsory Zone Distribution Which DNSSEC Protocol Keys – and Managing them Managing the Children Using DNSSEC Mark Elkins.
NTIA Stewardship Transition in the Internet Community July 24, 2014.
Root Zone KSK: After 5 years Elise Gerich | APNIC 40 | September 2015.
IANA Stewardship Transition & Enhancing ICANN Accountability Panel and Audience discussion | WSIS Forum | 5 May 2016.
Rolling the Root Geoff Huston APNIC Labs March 2016.
Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Status “Today”
Rolling the Root Zone DNSSEC Key Signing Key
KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting
DNS Team IETF 99 Hackathon.
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Summary of the « New gTLD Program Safeguards » context before the Statistical Analysis of DNS Abuse in gTLD Farell FOLLY, Africa 2.0 Foundation .
State of DNSSEC deployment ISOC Advisory Council
Root Zone KSK Rollover: delay and next steps
Geoff Huston APNIC Labs September 2017
Root Zone KSK Rollover Update
TN: TEACH AACTE Grant TN TEACH: The TN EPP Assistive and Collaborative Help Network.
CWG-Stewardship Update
ccNSO CWG-Stewardship Update
Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania
Root KSK Roll Update DNS-OARC 27 Matt Larson, VP of Research
Measuring KSK Roll Readiness
CONNECTICUT REGIONAL VOCATIONAL-TECHNICAL SCHOOL SYSTEM
CONNECTICUT REGIONAL VOCATIONAL-TECHNICAL SCHOOL SYSTEM
DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75
CONNECTICUT REGIONAL VOCATIONAL-TECHNICAL SCHOOL SYSTEM
DNSSEC Tutorial: Status “Today”
The Curious Case of the Crippling DS record
CONNECTICUT REGIONAL VOCATIONAL-TECHNICAL SCHOOL SYSTEM
Trade Technology Advisory Committee Procedures
Presentation transcript:

Root Zone KSK Maintenance Jaap Akkerhuis | ENOG -10 | October 2015

| 2  Channeling IANA  Make people aware this is happening  Member of design team What I’m doing here

| 3  Change of Hardware Security Modules (HSMs)  Roll (change) the Key Signing Key (KSK) Agenda

| 4  Root Zone KSK  The trust anchor in the DNSSEC hierarchy  Has been in operation since June 2010  "After 5 years of operation"  Concerns over original HSM battery life  Requirement to roll the KSK  What's a HSM? What's a KSK? (We'll get to that.) Background

| 5 The Players  Root Zone Management (RZM) Partners  Internet Corporation for Assigned Names and Numbers (ICANN)  U.S. Department of Commerce, National Telecommunications and Information Administration (NTIA)  Verisign  External Design Team for KSK roll  ICANN  Performs DNSSEC and KSK functions (plus others) in accordance with the IANA functions contract

| 6 What is a...  KSK?  Key-Signing Key signs DNSKEY RR set  Root Zone KSK  Public key in DNS Validator Trust Anchor sets  Copied everywhere - "configuration data"  Private key used only inside HSM

| 7 KSK ???

| 8 What is a...  HSM?  Hardware Security Module  Specialized hardware  Operates KSK  Prevents exposure of private key

| 9 Public Impact  HSM change  Happened with no impact  KSK roll  Large impact (on those DNSSEC validating)  Anybody operating a validator has the KSK now  All copies need to be updated  Trusting the new KSK is work to be done

| 10  Culpeper, Virginia, USA on April 9, 2015  El Segundo, California, USA on August 13, 2015  Plan  en  Archived   "21" and "22" plus the HSM Acceptance Testing for each site HSM Change (or "Tech Refresh")

| 11 KSK Roll  Compared to HSM change  Greater public impact  Various options to consider  Approach  ICANN Public Consultation (2012)  Previous engineering effort (2013)  Current external design team (2015)  Final report due in December  RZM Partners follow with a plan

| 12 Design Team Roster  Joe Abley  John Dickinson  Ondrej Sury  Yoshiro Yoneya  Jaap Akkerhuis  Geoff Huston  Paul Wouters  Plus participation of the aforementioned Root Zone Management Partners

| 13 In theory  On paper...  The industry collective wisdom is fairly mature  There have been many KSK rolls before  What works, breaks has been experienced  The Root Zone KSK is different  Other KSK rolls inform the parent (or DLV)  A new root KSK has to be updated everywhere  Mitigated by RFC5011's trust anchor management

| 14 In practice ...but...  Any plan will face external challenges  Will validators have trouble receiving responses during the roll? (Fragmentation issues)  Are automated trust anchor updates implemented correctly?  Will operators know how to prepare, how to react?  Will all DNSSEC code paths perform correctly?

| 15 Challenges  Coordination is the central theme  "What to go to and when to go"  Uniquely distributed (management) effort  DNSSEC Validator Operators and RZM partners will have to act in concert  Build trust in new KSK  Deciding when to take the next step  Whether going forward or backward

| 16 Participate  Join the mailing list:  Join the conversation on Twitter: Hashtag: #KeyRollover for the most up to date news