Presentation is loading. Please wait.

Presentation is loading. Please wait.

draft-huston-kskroll-sentinel

Published byEmily Sutton Modified over 6 years ago

Similar presentations

Presentation on theme: "draft-huston-kskroll-sentinel"— Presentation transcript:

1 draft-huston-kskroll-sentinel
Geoff Huston Joao Damas Warren Kumari

2 Measuring KSK Roll Readiness
Getting resolvers to report on their local trusted key state Resolvers that support the RFC8145 signal mechanism periodically include the key tag of their locally trusted keys into a query directed towards the root servers But: An aggregated signal is only visible to root servers DNS forwarders and local caching confuse attribution efforts The number of users that exclusively rely on reporting resolvers is not apparent It is unknown whether the user has alternate resolvers that they can use

3 User-Side Measurement
Can we devise a DNS query that could reveal the state of the trusted keys of the resolvers that the user actually invokes back to the user? Not within the current parameters of DNSSEC and/or resolver behaviour But what if we could change resolver behaviour? Just as RFC8145 required a change in resolver behaviour We propose a change to the resolver’s reporting of validation outcome depending on the resolver’s local trusted key state: If a query contains the label “_is-ta-<key-tag>” then a validating resolver will report validation failure if the key is NOT in the local trusted key store If a query contains the label “_not-ta-<key-tag>” then a validating resolver will report validation failure if the key IS in the local trusted key store

4 User-Side Measurement
Three DNS queries: _is-ta-4066.<some.signed.domain> _not-ta-4066.<some.signed.domain> <badly-signed>.<some.signed.domain> Single Resolver Analysis: Resolver Behaviour Type Loaded New KSK NOT loaded New KSK Mechanism not supported Not validating Query Query Query 3 A SERVFAIL SERVFAIL SERVFAIL A SERVFAIL A A SERVFAIL A A A

5 User-Side Measurement
Multiple Resolver Analysis A SERVFAIL response will cause the user to repeat their query to other locally configured resolvers. In a multi-resolver scenario, and where forwarders are used, we can still determine if the user will be impacted by the KSK roll User Impact OK NOT OK Query Query Query 3 A SERVFAIL SERVFAIL SERVFAIL A SERVFAIL A A SERVFAIL SERVFAIL SERVFAIL SERVFAIL A A A UNKNOWN NOT Impacted

6 Measuring User Impact Use these tests in a script to allow users to test the state of their DNS environment: If the user can resolve Query 1, and SERVFAILs on Query 2 and Query 3 then the user is able to validate using the nominated key as a trusted key If the user SERVFAILS on Query 1, resolves Query 2 and SERVFAILs on Query 3 then the user is unable to validate using the nominated key as a trusted keys If the user SERVFAILS on Query 3 then the result is indeterminate Otherwise, the user will not be impacted by the KSK roll

7 Privacy and Security Considerations
This test itself does not reveal which resolvers are used by end users in resolving names The query itself need not contain any end user identifying material The methodology never changes “insecure” to ”authenticated” – it will only change “authenticated” to “insecure” depending on the resolver’s local trusted key state when resolving certain labels Anyone can set up a test condition within their delegated part of the DNS The results of the test are passed back only to the user in the form of a resolution outcome

8 Questions Should this label be at any location in the name or should it be specified to be the left-most label? I can’t think of any other questions – maybe you can!

Download ppt "draft-huston-kskroll-sentinel"

Similar presentations

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
0 Considerations on T2S Migration: Special contingency cases during migration T2S Programme Office European Central Bank T2S Advisory Group - 19 November.

0 Considerations on T2S Migration: Special contingency cases during migration T2S Programme Office European Central Bank T2S Advisory Group - 19 November.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 17 Jonathan Katz.
Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.

Canonical Producer CP API User Code CP Servlet Files CreateTable, Port, Protocol, Security, SQL Support, Multiple Query Support Security Insert Query Port.
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.

Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.

CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Measuring DNSSEC Geoff Huston APNIC Labs, June 2014.

Measuring DNSSEC Geoff Huston APNIC Labs, June 2014.
Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.

Rolling the Keys of the DNS Root Zone Geoff Huston APNIC Labs.
July 16, 20031 Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Creating PHPs to Insert, Update, and Delete Data CS 320.

Creating PHPs to Insert, Update, and Delete Data CS 320.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…

Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.

Rolling the Root Geoff Huston APNIC Labs. Use of DNSSEC in Today’s Internet.

Similar presentations

Ads by Google