SlideShare a Scribd company logo

Testing Rolling Roots

APNIC, profile picture
APNIC

The document discusses the impending roll of the DNS root zone key signing key (KSK) and its implications, particularly for DNSSEC-validating resolvers. Concerns are raised about the ability of these resolvers to adopt the new KSK, especially those that do not support RFC5011 procedures, which may result in service disruptions. Various tests and observations regarding key roll impacts and resolver behaviors are highlighted, noting the importance of understanding user impacts and technical challenges during the transition.

Internet
1 of 56
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Testing Rolling Roots Geoff Huston APNIC Labs
Use of DNSSEC in Today’s Internet
Use of DNSSEC in SE Asia
Use of DNSSEC in SE Asia 1 in 6 users in this region have their DNS queries resolved by DNSSEC-validating reslovers
Why is this relevant?
Because… the root zone managers are preparing to roll the DNS Root Zone Key Signing Key (and this may break your DNS service!) 6
Five Years Ago
Five Years Ago…
Five Years Ago…
ZSK? –  Zone Signing Key –  Used to generate the digital signature RRSIG records in the root zone –  The ZSK is rolled regularly every quarter –  The DNSKEY record for the ZSK is signed by the KSK
KSK? •  The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone –  The Zone Signing Key (ZSK) signs the individual root zone entries •  The KSK Public Key is used as the DNSSEC Validation trust anchor –  It is copied everywhere as “configuration data” –  Most of the time the KSK is kept offline in highly secure facilities
The Eastern KSK Repository
The Western KSK Repository El Segundo, California *
The Ultra Secret Third KSK Repository in Amsterdam KSK spotting by George Michaelson
The Uruguay Mobile KSK KSK spotting by George Michaelson
The Cast of Actors •  Root Zone Management Partners: –  Internet Corporation for Assigned Names and Numbers (ICANN) –  National Telecommunications and Information Administration, US Department of Commerce (NTIA) –  Verisign •  External Design Team for KSK Roll
Approach •  ICANN Public Consultation – 2012 •  Detailed Engineering Study - 2013 •  SSAC Study (SAC-063) - 2013 •  KSK Roll Design Team - 2015
2015 Design Team Milestones •  January – June: Study, discuss, measure, ponder, discuss some more •  August –  Present a draft report for ICANN Public Comment https://www.icann.org/public-comments/root-ksk-2015-08-06-en (comment close 15th September 2015) •  September –  Prepare final report •  Pass to the Root Zone Management Partners who then will develop an operational plan and execute
Rolling the KSK? •  All DNS resolvers that perform validation of DNS responses use a local copy of the KSK •  They will need to load a new KSK public key and replace the existing trust anchor with this new value at the appropriate time •  This key roll could have a public impact, particularly if DNSSEC-validating resolvers do not load the new KSK
Easy, Right? •  Publish a new KSK and include it in DNSKEY responses •  Use the new KSK to sign the ZSK, as well as the old KSK signature –  Resolvers use old-signs-over-new to pick up the new KSK, validate it using the old KSK, and replace the local trust anchor material with the new KSK •  Withdraw the old signature signed via the old KSK •  Revoke the old KSK
The RFC5011 Approach
The RFC5011 Approach The point of no return The critical switch Pre-load
Just Like Last Time?
But that was then… And this is now: –  Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) –  And now we all support RFC5011 key roll processes –  And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root Truly ruly!
But that was then… And this is now: –  Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) –  And now we all support RFC5011 key roll processes –  And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root Truly Ruly! Not!
What we all should be concerned about… That resolvers who validate DNS responses will fail to pick up the new DNS root key automatically –  i.e. they do not have code that follows RFC5011 procedures for the introduction of a new KSK The resolvers will be unable to receive the larger DNS responses that will occur during the dual signature phase of the rollover
Technical Concerns •  Some DNSSEC validating resolvers do not support RFC5011 –  How many resolvers may be affected in this way? –  How many users may be affected? –  What will the resolvers do when validation fails? •  Will they perform lookup ‘thrashing’ –  What will users do when resolvers return SERVFAIL? •  How many users will redirect their query to a non-validating resolver
Technical Concerns •  Some DNSSEC validating resolvers do not support RFC5011 –  How many resolvers may be affected in this way? –  How many users may be affected? –  What will the resolvers do when validation fails? •  Will they perform lookup ‘thrashing’ –  What will users do when resolvers return SERVFAIL? •  How many users will redirect their query to a non-validating resolver Really hard to test this in the wild with heading down the path of fake root zones And because of the RFC5011 30 day holddown then its not a simple “point your resolver here” kind of test
DNS Response Sizes
We’ve been testing large responses in the DNS •  We are interested in sending DNSSEC-aware DNS resolvers a response that is much the same size as that being contemplated in a KSK key roll •  And seeing whether they got the response
The Test •  We are interested in resolvers who are DNSSEC aware (queries that contain the EDNS0 option with DNSSEC OK flag set on) •  We would like to test larger responses: –  1,440 octets of DNS payload •  We would like to test a couple of crypto protocols –  RSA –  ECDSA
EDNS(0) DNSSEC OK Set 76,456,053 queries 63,352,607 queries with EDNS(0) and DNSSEC OK set = 83% of queries 777,371 resolvers 649,304 resolvers with EDNS(0) and DNSSEC OK set = 84% of resolvers
EDNS(0) UDP Buffer sizes
EDNS(0) UDP Buffer sizes
EDNS(0) UDP Buffer sizes Around the 1425 octet response size we will see UDP response truncation rates of around 5.5%
Small vs Large 1,440 Octets Payload Experiments: 6,542,993 Web Fetch: 5,880,921 DS Fetch: 181,610 Timeout: 480,415 DNS Fail: 47 1,770 Octets Payload Experiments: 6,566,645 Web Fetch: 5,992,617 DS Fetch: 167,119 Timeout: 401,831 DNS Fail: 5,078
ECDSA vs RSA The spec says that when a resolver encounters a zone signed only with algorithms that are not supported by the resolver then it will treat the zone as unsigned and not proceed with validation Most resolvers determine the zone’s signing algorithms from the DS record What happens when we compare a 1,440 octet response signed by RSA and a 1,440 octet response signed by ECDSA?
1,440 octet ECDSA-signed Responses 9,137,436 tests 7,766,572 retrieved the 1x1 blot 2,644,564 queried for the DS record 860,163 queried for the DS record (but no blot) 505,045 timed out (but no blot!) 5,656 appeared to fail the DNS
1,440 octet ECDSA-signed Responses 9,137,436 tests 7,766,572 retrieved the 1x1 blot 2,644,564 queried for the DS record 860,163 queried for the DS record (but no blot) 505,045 timed out (but no blot!) 5,656 appeared to fail the DNS This is larger than RSA failure rates, but is still a small proportion of users affected. Some resolvers appear to have problems when presented with an unknown crypto protocol.
IPv4 vs IPv6 Do resolvers prefer IPv4 over IPv6? Total Queries: 47,826,735 Queries over V6: 394,816 Number of Resolvers: 109,725 Number of Resolvers using IPv6 for queries: 2,849
IPv4 vs IPv6 Do resolvers prefer IPv4 over IPv6? Total Queries: 47,826,735 Queries over V6: 394,816 Number of Resolvers: 109,725 Number of Resolvers using IPv6 for queries: 2,849 In a Dual Stack environment 1% of queries and 3% of resolvers use IPv6. What if the server was IPv6 only?
Some Observations - 1 There is a LOT of DNSSEC validation out there –  87% of all queries have DNSSEC-OK set –  30% of all DNSSEC-OK queries attempt to validate the response –  25% of end users are using DNS resolvers that will validate what they are told –  12% of end users don’t believe bad validation news and turn to other non-validating resolvers when validation fails.
Some Observations - 2 There is very little V6 being used out there –  1% of queries use IPv6 as the transport protocol when given a dual stack name server It seems that when given a choice: Browsers prefer IPv6 Resolvers prefer IPv4
Some Observations - 3 ECDSA is viable – sort of –  1 in 5 clients who use resolvers that validate RSA-signed responses are unable to validate the same response when signed using ECDSA –  But they fail to “unsigned” rather than “invalid” so it’s a (sort of) safe fail
Some Observations - 4 The larger DNS responses will probably work –  The “fall back to TCP” will rise to 6% of queries when the response size get to around 1,350 octets –  And the DNS failure rate appears to rise by around 1 - 2 % –  BUT .org currently runs at 1,650 octets and nobody is screaming failure –  So it will probably work
Some Observations - 5 We can’t measure automated key take up –  We can’t see how many resolvers fail to use RFC5011 notices to pick up the new KSK as a Truct Anchor in advance –  We will only see it via failure on key roll
Where are we? •  A key roll of the Root Zone KSK will cause some resolvers to fail: –  Resolvers who do not pick up the new key in the manner described by RFC5011 –  Resolvers who cannot receive a DNS response of ~1,300 octets •  Many users who use these failing resolvers will just switch over to use a non-validating resolver •  A small pool of users will be affected with no DNS
Now? Public comment: draft report for ICANN Public Comment https://www.icann.org/public-comments/root-ksk-2015-08-06-en Comments close 15th September 2015 Please read & comment
Questions?
Comments - 1 Why Now? What is the imperative to roll the key now? Could we use more time to improve preparedness for this roll? For example, could we use further time to introduce some explicit EDNS(0) signalling options in resolvers to expose RFC5011 capability? 50
Comments - 2 Measuring and Testing? What measurements are planned to be undertaking during the key roll process? What are the threshold metrics for proceeding to the next phase? What is the threshold metric to proceed with the revocation of the old KSK? 51
Comments - 3 Algorithm Change The report’s language around the potential for algorithm change is unclear. There appears to be a strong bias to retention of RSA as the KSK algorithm, despite evidence that ECDSA is both shorter and potentially faster to compute. Whilst the report argues for a reduced risk of large packets, it doesn’t clearly explain why larger RSA-based DNS response payloads would be preferable to smaller ECDSA DNS response payloads. 52
Comments - 4 Scheduling The report notes as a constraint that a key roll must be aligned with existing Quarter and 10-day periods used in existing processes. This has the potential consequence of scheduling the critical change in the root zone on a weekend, or on a major public holiday. Why? 53
Comments - 5 Testing for RFC5011 The report notes that there is no easy way to test is a resolver has picked up the new KSK via 5011 signalling (or otherwise)? Has the team working on this explored the use of sentinel zones signed by the new KSK? For example it could be envisaged that the roll process could use the incoming KSK to sign some sentinel record in the root zone allowing measurement of the extent to which resolvers are able to use the KSK as a trust anchor to validate the sentinel record. It would be helpful to understand why such potentially measurable actions are not viable options in this particular context. 54
Comments - 6 Serialization The report assumes a single new KSK. What are the issues of introducing 2 or even 3 new KSKs at this point? 55
Comments - 7 All together all at once? Why do all root zones flip to use the new KSK all at the same time? Why is there not a period of dual sigs over the root ZSK? Why not allow each root server to switch from old to old+new to new using a staggered timetable? There may be perfectly sound reasons why all together all at once is a better option than staggered introduction, but report does not appear to provide any such reasons. 56

More Related Content

PDF
Thoughts about DNS for DDoS
APNIC
 
PDF
OARC 26: Who's asking
APNIC
 
PDF
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
PPTX
IPv6 and the DNS, RIPE 73
APNIC
 
PDF
OARC 26: Scoring the Root Server System
APNIC
 
PDF
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
PDF
NANOG 82: DNS Evolution
APNIC
 
PDF
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 
Thoughts about DNS for DDoS
APNIC
 
OARC 26: Who's asking
APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
APNIC
 
IPv6 and the DNS, RIPE 73
APNIC
 
OARC 26: Scoring the Root Server System
APNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
APNIC
 
NANOG 82: DNS Evolution
APNIC
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
APNIC
 

What's hot (20)

PDF
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
PDF
Zombie DNS
APNIC
 
PPTX
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
PDF
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
PDF
Measuring the end user
APNIC
 
PDF
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
PPTX
IPv6 deployment at APNIC
APNIC
 
PDF
PacNOG 29: Routing security is more than RPKI
APNIC
 
PDF
RIPE 78: A review of the KSK Roll
APNIC
 
PDF
More specific announcments in BGP
APNIC
 
PPTX
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
PDF
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
PPT
Linx88 IPv6 Neighbor Discovery Russell Heilling
Russell Heilling
 
PDF
HDFS Selective Wire Encryption
Konstantin V. Shvachko
 
PDF
NANOG 84: DNS Openness
APNIC
 
PDF
IPv6 Deployment Case on a Korean Governmental Website
APNIC
 
PPTX
Are we really ready to turn off IPv4?
APNIC
 
PDF
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
PPTX
Campus networking
Jisc
 
PDF
mnNOG 1: Securing internet Routing
APNIC
 
VNIX-NOG 2021: IPv6 Deployment Update
APNIC
 
Zombie DNS
APNIC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
APNIC
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
Measuring the end user
APNIC
 
BSides: BGP Hijacking and Secure Internet Routing
APNIC
 
IPv6 deployment at APNIC
APNIC
 
PacNOG 29: Routing security is more than RPKI
APNIC
 
RIPE 78: A review of the KSK Roll
APNIC
 
More specific announcments in BGP
APNIC
 
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
HKNOG 1.0 - DDoS attacks in an IPv6 World
Tom Paseka
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Russell Heilling
 
HDFS Selective Wire Encryption
Konstantin V. Shvachko
 
NANOG 84: DNS Openness
APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
APNIC
 
Are we really ready to turn off IPv4?
APNIC
 
Welcome to the APNIC Member Gathering, Mongolia
APNIC
 
Campus networking
Jisc
 
mnNOG 1: Securing internet Routing
APNIC
 
Ad

Viewers also liked (10)

PDF
IPv6 Deployment Status, Asia Pacific
APNIC
 
DOCX
Mapa conceptul utilizando blubb.us
pedro frias diaz
 
PDF
Community tools to fight against DDoS, SANOG 27
APNIC
 
PDF
AFRINIC 24 - APNIC Update
Robbie Mitchell
 
PDF
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Deploy360 Programme (Internet Society)
 
PPTX
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
APNIC
 
DOCX
SAP RESUME NEW MODEL...23.7.2016
Nabhi Sk
 
ODP
Workshop essentials slide presentation part 2
Helene Jewell
 
PDF
APNIC Update: btNOG 3
APNIC
 
PDF
Textil slöjd zack 6 a hösttermin 2016
Cecilia Holgersson
 
IPv6 Deployment Status, Asia Pacific
APNIC
 
Mapa conceptul utilizando blubb.us
pedro frias diaz
 
Community tools to fight against DDoS, SANOG 27
APNIC
 
AFRINIC 24 - APNIC Update
Robbie Mitchell
 
Challenges To Deploying New DNSSEC Cryptographic Algorithms
Deploy360 Programme (Internet Society)
 
Universal Acceptance of Internationalized Domain Names (IDN), Email Addresses...
APNIC
 
SAP RESUME NEW MODEL...23.7.2016
Nabhi Sk
 
Workshop essentials slide presentation part 2
Helene Jewell
 
APNIC Update: btNOG 3
APNIC
 
Textil slöjd zack 6 a hösttermin 2016
Cecilia Holgersson
 
Ad

Similar to Testing Rolling Roots (20)

PDF
NANOG 74: That KSK Roll
APNIC
 
PDF
Rolling the Root KSK
APNIC
 
PDF
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
PDF
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
PDF
RIPE 86: DNSSEC — Yes or No?
APNIC
 
PDF
Introduction DNSSec
AFRINIC
 
PPTX
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
PDF
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
PDF
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
PDF
OARC 31: NSEC Caching Revisited
APNIC
 
PDF
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
PDF
RIPE 82: DNS Evolution
APNIC
 
PDF
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
PDF
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
Bangladesh Network Operators Group
 
PDF
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
Bangladesh Network Operators Group
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
PPTX
ARCHITECTING INFLUXENTERPRISE FOR SUCCESS
InfluxData
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
PPTX
HKNOG 5.0 - NSEC caching
APNIC
 
NANOG 74: That KSK Roll
APNIC
 
Rolling the Root KSK
APNIC
 
NZNOG 2013 - Experiments in DNSSEC
APNIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
RIPE 86: DNSSEC — Yes or No?
APNIC
 
Introduction DNSSec
AFRINIC
 
Re-Engineering the DNS – One Resolver at a Time
Bangladesh Network Operators Group
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
OARC 31: NSEC Caching Revisited
APNIC
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
RIPE 82: DNS Evolution
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
Bangladesh Network Operators Group
 
DNS & DNSSEC operational best practices - Sleep better at night with KINDNS i...
Bangladesh Network Operators Group
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
ARCHITECTING INFLUXENTERPRISE FOR SUCCESS
InfluxData
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
APNIC
 
HKNOG 5.0 - NSEC caching
APNIC
 

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
PDF
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 

Recently uploaded (20)

PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Internet___Basics___Styled_ presentation
poonam62133
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Funds Management Learning Material for Beg
NKKumar16
 
artificial intelligence overview of it and more
yafotin445
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 

Testing Rolling Roots

  • 2. Use of DNSSEC in Today’s Internet
  • 3. Use of DNSSEC in SE Asia
  • 4. Use of DNSSEC in SE Asia 1 in 6 users in this region have their DNS queries resolved by DNSSEC-validating reslovers
  • 5. Why is this relevant?
  • 6. Because… the root zone managers are preparing to roll the DNS Root Zone Key Signing Key (and this may break your DNS service!) 6
  • 10. ZSK? –  Zone Signing Key –  Used to generate the digital signature RRSIG records in the root zone –  The ZSK is rolled regularly every quarter –  The DNSKEY record for the ZSK is signed by the KSK
  • 11. KSK? •  The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone –  The Zone Signing Key (ZSK) signs the individual root zone entries •  The KSK Public Key is used as the DNSSEC Validation trust anchor –  It is copied everywhere as “configuration data” –  Most of the time the KSK is kept offline in highly secure facilities
  • 12. The Eastern KSK Repository
  • 13. The Western KSK Repository El Segundo, California *
  • 14. The Ultra Secret Third KSK Repository in Amsterdam KSK spotting by George Michaelson
  • 15. The Uruguay Mobile KSK KSK spotting by George Michaelson
  • 16. The Cast of Actors •  Root Zone Management Partners: –  Internet Corporation for Assigned Names and Numbers (ICANN) –  National Telecommunications and Information Administration, US Department of Commerce (NTIA) –  Verisign •  External Design Team for KSK Roll
  • 17. Approach •  ICANN Public Consultation – 2012 •  Detailed Engineering Study - 2013 •  SSAC Study (SAC-063) - 2013 •  KSK Roll Design Team - 2015
  • 18. 2015 Design Team Milestones •  January – June: Study, discuss, measure, ponder, discuss some more •  August –  Present a draft report for ICANN Public Comment https://www.icann.org/public-comments/root-ksk-2015-08-06-en (comment close 15th September 2015) •  September –  Prepare final report •  Pass to the Root Zone Management Partners who then will develop an operational plan and execute
  • 19. Rolling the KSK? •  All DNS resolvers that perform validation of DNS responses use a local copy of the KSK •  They will need to load a new KSK public key and replace the existing trust anchor with this new value at the appropriate time •  This key roll could have a public impact, particularly if DNSSEC-validating resolvers do not load the new KSK
  • 20. Easy, Right? •  Publish a new KSK and include it in DNSKEY responses •  Use the new KSK to sign the ZSK, as well as the old KSK signature –  Resolvers use old-signs-over-new to pick up the new KSK, validate it using the old KSK, and replace the local trust anchor material with the new KSK •  Withdraw the old signature signed via the old KSK •  Revoke the old KSK
  • 22. The RFC5011 Approach The point of no return The critical switch Pre-load
  • 23. Just Like Last Time?
  • 24. But that was then… And this is now: –  Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) –  And now we all support RFC5011 key roll processes –  And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root Truly ruly!
  • 25. But that was then… And this is now: –  Resolvers are now not so aggressive in searching for alternate validation paths when validation fails (as long as resolvers keep their code up to date, which everyone does – right?) –  And now we all support RFC5011 key roll processes –  And everyone can cope with large DNS responses So all this will go without a hitch Nobody will even notice the KSK roll at the root Truly Ruly! Not!
  • 26. What we all should be concerned about… That resolvers who validate DNS responses will fail to pick up the new DNS root key automatically –  i.e. they do not have code that follows RFC5011 procedures for the introduction of a new KSK The resolvers will be unable to receive the larger DNS responses that will occur during the dual signature phase of the rollover
  • 27. Technical Concerns •  Some DNSSEC validating resolvers do not support RFC5011 –  How many resolvers may be affected in this way? –  How many users may be affected? –  What will the resolvers do when validation fails? •  Will they perform lookup ‘thrashing’ –  What will users do when resolvers return SERVFAIL? •  How many users will redirect their query to a non-validating resolver
  • 28. Technical Concerns •  Some DNSSEC validating resolvers do not support RFC5011 –  How many resolvers may be affected in this way? –  How many users may be affected? –  What will the resolvers do when validation fails? •  Will they perform lookup ‘thrashing’ –  What will users do when resolvers return SERVFAIL? •  How many users will redirect their query to a non-validating resolver Really hard to test this in the wild with heading down the path of fake root zones And because of the RFC5011 30 day holddown then its not a simple “point your resolver here” kind of test
  • 30. We’ve been testing large responses in the DNS •  We are interested in sending DNSSEC-aware DNS resolvers a response that is much the same size as that being contemplated in a KSK key roll •  And seeing whether they got the response
  • 31. The Test •  We are interested in resolvers who are DNSSEC aware (queries that contain the EDNS0 option with DNSSEC OK flag set on) •  We would like to test larger responses: –  1,440 octets of DNS payload •  We would like to test a couple of crypto protocols –  RSA –  ECDSA
  • 32. EDNS(0) DNSSEC OK Set 76,456,053 queries 63,352,607 queries with EDNS(0) and DNSSEC OK set = 83% of queries 777,371 resolvers 649,304 resolvers with EDNS(0) and DNSSEC OK set = 84% of resolvers
  • 35. EDNS(0) UDP Buffer sizes Around the 1425 octet response size we will see UDP response truncation rates of around 5.5%
  • 36. Small vs Large 1,440 Octets Payload Experiments: 6,542,993 Web Fetch: 5,880,921 DS Fetch: 181,610 Timeout: 480,415 DNS Fail: 47 1,770 Octets Payload Experiments: 6,566,645 Web Fetch: 5,992,617 DS Fetch: 167,119 Timeout: 401,831 DNS Fail: 5,078
  • 37. ECDSA vs RSA The spec says that when a resolver encounters a zone signed only with algorithms that are not supported by the resolver then it will treat the zone as unsigned and not proceed with validation Most resolvers determine the zone’s signing algorithms from the DS record What happens when we compare a 1,440 octet response signed by RSA and a 1,440 octet response signed by ECDSA?
  • 38. 1,440 octet ECDSA-signed Responses 9,137,436 tests 7,766,572 retrieved the 1x1 blot 2,644,564 queried for the DS record 860,163 queried for the DS record (but no blot) 505,045 timed out (but no blot!) 5,656 appeared to fail the DNS
  • 39. 1,440 octet ECDSA-signed Responses 9,137,436 tests 7,766,572 retrieved the 1x1 blot 2,644,564 queried for the DS record 860,163 queried for the DS record (but no blot) 505,045 timed out (but no blot!) 5,656 appeared to fail the DNS This is larger than RSA failure rates, but is still a small proportion of users affected. Some resolvers appear to have problems when presented with an unknown crypto protocol.
  • 40. IPv4 vs IPv6 Do resolvers prefer IPv4 over IPv6? Total Queries: 47,826,735 Queries over V6: 394,816 Number of Resolvers: 109,725 Number of Resolvers using IPv6 for queries: 2,849
  • 41. IPv4 vs IPv6 Do resolvers prefer IPv4 over IPv6? Total Queries: 47,826,735 Queries over V6: 394,816 Number of Resolvers: 109,725 Number of Resolvers using IPv6 for queries: 2,849 In a Dual Stack environment 1% of queries and 3% of resolvers use IPv6. What if the server was IPv6 only?
  • 42. Some Observations - 1 There is a LOT of DNSSEC validation out there –  87% of all queries have DNSSEC-OK set –  30% of all DNSSEC-OK queries attempt to validate the response –  25% of end users are using DNS resolvers that will validate what they are told –  12% of end users don’t believe bad validation news and turn to other non-validating resolvers when validation fails.
  • 43. Some Observations - 2 There is very little V6 being used out there –  1% of queries use IPv6 as the transport protocol when given a dual stack name server It seems that when given a choice: Browsers prefer IPv6 Resolvers prefer IPv4
  • 44. Some Observations - 3 ECDSA is viable – sort of –  1 in 5 clients who use resolvers that validate RSA-signed responses are unable to validate the same response when signed using ECDSA –  But they fail to “unsigned” rather than “invalid” so it’s a (sort of) safe fail
  • 45. Some Observations - 4 The larger DNS responses will probably work –  The “fall back to TCP” will rise to 6% of queries when the response size get to around 1,350 octets –  And the DNS failure rate appears to rise by around 1 - 2 % –  BUT .org currently runs at 1,650 octets and nobody is screaming failure –  So it will probably work
  • 46. Some Observations - 5 We can’t measure automated key take up –  We can’t see how many resolvers fail to use RFC5011 notices to pick up the new KSK as a Truct Anchor in advance –  We will only see it via failure on key roll
  • 47. Where are we? •  A key roll of the Root Zone KSK will cause some resolvers to fail: –  Resolvers who do not pick up the new key in the manner described by RFC5011 –  Resolvers who cannot receive a DNS response of ~1,300 octets •  Many users who use these failing resolvers will just switch over to use a non-validating resolver •  A small pool of users will be affected with no DNS
  • 48. Now? Public comment: draft report for ICANN Public Comment https://www.icann.org/public-comments/root-ksk-2015-08-06-en Comments close 15th September 2015 Please read & comment
  • 50. Comments - 1 Why Now? What is the imperative to roll the key now? Could we use more time to improve preparedness for this roll? For example, could we use further time to introduce some explicit EDNS(0) signalling options in resolvers to expose RFC5011 capability? 50
  • 51. Comments - 2 Measuring and Testing? What measurements are planned to be undertaking during the key roll process? What are the threshold metrics for proceeding to the next phase? What is the threshold metric to proceed with the revocation of the old KSK? 51
  • 52. Comments - 3 Algorithm Change The report’s language around the potential for algorithm change is unclear. There appears to be a strong bias to retention of RSA as the KSK algorithm, despite evidence that ECDSA is both shorter and potentially faster to compute. Whilst the report argues for a reduced risk of large packets, it doesn’t clearly explain why larger RSA-based DNS response payloads would be preferable to smaller ECDSA DNS response payloads. 52
  • 53. Comments - 4 Scheduling The report notes as a constraint that a key roll must be aligned with existing Quarter and 10-day periods used in existing processes. This has the potential consequence of scheduling the critical change in the root zone on a weekend, or on a major public holiday. Why? 53
  • 54. Comments - 5 Testing for RFC5011 The report notes that there is no easy way to test is a resolver has picked up the new KSK via 5011 signalling (or otherwise)? Has the team working on this explored the use of sentinel zones signed by the new KSK? For example it could be envisaged that the roll process could use the incoming KSK to sign some sentinel record in the root zone allowing measurement of the extent to which resolvers are able to use the KSK as a trust anchor to validate the sentinel record. It would be helpful to understand why such potentially measurable actions are not viable options in this particular context. 54
  • 55. Comments - 6 Serialization The report assumes a single new KSK. What are the issues of introducing 2 or even 3 new KSKs at this point? 55
  • 56. Comments - 7 All together all at once? Why do all root zones flip to use the new KSK all at the same time? Why is there not a period of dual sigs over the root ZSK? Why not allow each root server to switch from old to old+new to new using a staggered timetable? There may be perfectly sound reasons why all together all at once is a better option than staggered introduction, but report does not appear to provide any such reasons. 56