dnssec for the root zone · dnssec for the root zone icann 36, seoul 28 october 2009 richard lamb,...
TRANSCRIPT
![Page 1: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/1.jpg)
DNSSECfor the Root Zone
ICANN 36, Seoul28 October 2009
Richard Lamb, ICANN Matt Larson, VeriSign
1
![Page 2: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/2.jpg)
This design is the result of a cooperation between ICANN & VeriSign withsupport from the U.S. DoC NTIA
2
![Page 3: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/3.jpg)
Design RequirementsKeywords
3
![Page 4: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/4.jpg)
Transparency Processes and procedures should
be as open as possible for the Internetcommunity to trust the signed root
4
![Page 5: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/5.jpg)
Audited Processes and procedures should
be audited against industry standards,e.g. ISO/IEC 27002:2005
5
![Page 6: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/6.jpg)
High SecurityRoot system should meet all NIST
SP 800-53 technical security controls required by a HIGH IMPACT system
6
![Page 7: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/7.jpg)
Roles and Responsibilities
7
![Page 8: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/8.jpg)
ICANNIANA Functions Operator
• Manages the Key Signing Key (KSK)
• Accepts DS records from TLD operators
• Verifies and processes request
• Sends update requests to DoC for authorization and to VeriSign for implementation
8
![Page 9: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/9.jpg)
DoC NTIAU.S. Department of Commerce
National Telecommunications and Information Administration
• Authorizes changes to the root zone
‣ DS records
‣ Key Signing Keys
‣ DNSSEC update requests follow the same process as other changes
• Checks that ICANN has followed their agreed upon verification/processing policies and procedures
9
![Page 10: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/10.jpg)
VeriSignRoot Zone Maintainer
• Manages the Zone Signing Key (ZSK)
• Incorporates NTIA-authorized changes
• Signs the root zone with the ZSK
• Distributes the signed zone to the root server operators
10
![Page 11: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/11.jpg)
ICANN VeriSign
DoCRZM SignerTLDOperator Signed root
KSK Management
DNS records sent fromTLD operator to ICANN
Verified datasent to DoC
Authorized datasent to VeriSign
ZSK sent from VeriSign to ICANN
Root Zonedistributed toroot servers
ZSK Management
Root Servers
KSK publishedby ICANN
Keyset is signed by KSK and sent back from ICANN to VeriSign
Unsigned root
11
![Page 12: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/12.jpg)
Proposed Approach to Protecting the KSK
12
![Page 13: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/13.jpg)
Facility – Tier 1 – Access control by Data Center
Facility – Tier 2 – Access control by Data Center
Facility – Tier 3 – Access control by Data Center
Cage – Tier 4 – Access control by Data Center
Safe Room – Tier 5 – Access control by ICANN
Safe #1 – Tier 6
HSM – Tier 7
Private Keys Key Ceremony Computer
Safe #2 – Tier 6
Safe Deposit Box – Tier 7
Crypto Officers' Credentials
Physical Security
13
![Page 14: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/14.jpg)
DPSDNSSEC Policy & Practice Statement
• States the practices and provisions that are employed in root zone signing and zone distribution services
‣ Issuing, managing, changing and distributing DNS keys in accordance with the specific requirements of the U.S. DoC NTIA
• Comparable to a certification practice statement (CPS) from an X.509 certificate authority (CA)
14
![Page 15: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/15.jpg)
Key Signing Key Management
Generate
Publish
Use
Destroy
ICANN Staff
ExternalTrusted Persons
Global Internet Community 3rd Party Auditors
Policy & Practice Statement
Zone Signing Key Management
Generate
Publish
Use
Destroy
VeriSign Staff
3rd Party Auditors
Policy & Practice Statement
Other Witnesses
15
![Page 16: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/16.jpg)
Community Trust
• Proposal that community representatives* have an active roll in management of the KSK
‣ as Crypto Officers needed to activate the KSK
‣ as Backup Key Share Holders protecting shares of the symmetric key that encrypts the backup copy of the KSK
*) drawn from members of entities such as ccNSO, GNSO, IAB, RIRs, ISOC
16
![Page 17: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/17.jpg)
Auditing & Transparency
• Third-party auditors check that ICANN operates as described in the DPS
• Other external witness may also attend the key ceremonies
17
![Page 18: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/18.jpg)
Proposed DNSSECProtocol Parameters
18
![Page 19: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/19.jpg)
Key Signing Key
• KSK is 2048-bit RSA
‣ Rolled every 2-5 years
‣ RFC 5011 for automatic key rollovers
• Propose using signatures based on SHA-256
19
![Page 20: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/20.jpg)
Zone Signing Key
• ZSK is 1024-bit RSA
‣ Rolled once a quarter (four times per year)
• Zone signed with NSEC
• Propose using signatures based on SHA-256
20
![Page 21: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/21.jpg)
Signature Validity
• DNSKEY-covering RRSIG validity 15 days
‣ re-sign every 10 days
• Other RRSIG validity 7 days
‣ re-sign twice per day (with zone generation)
21
![Page 22: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/22.jpg)
Key Ceremonies
• Key Generation
‣ Generation of new KSK
‣ Every 2-5 years
• Processing of ZSK Signing Request (KSR)
‣ Signing ZSK for the next upcoming quarter
‣ Every quarter
22
![Page 23: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/23.jpg)
Root Trust Anchor
• Published on a web site by ICANN as
‣ XML-wrapped and plain DS record
• to facilitate automatic processing
‣ PKCS #10 certificate signing request (CSR)
• as self-signed public key
• Allows third-party CAs to sign the KSK
23
![Page 24: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/24.jpg)
Proposed Deployment
24
![Page 25: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/25.jpg)
Roll Out
• Incremental roll out of the signed root
‣ Groups of root server “letters” at a time
• Watch the query profile to all root servers as roll out progresses
• Listen to community feedback for any problems
25
![Page 26: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/26.jpg)
No validation
• Real keys will be replaced by dummy keys while rolling out the signed root
‣ Signatures will not validate during roll out
‣ Actual keys will be published at end of roll out
26
![Page 27: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/27.jpg)
Draft Timeline• December 1, 2009
‣ Root zone signed
• Initially signed zone stays internal to ICANN and VeriSign
‣ ICANN and VeriSign begin KSR processing
• ZSK and KSK rolls
• January - July 2010
‣ Incremental roll out of signed root
• July 1, 2010
‣ KSK rolled and trust anchor published
‣ Signed root fully deployed
27
![Page 28: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/28.jpg)
Thoughts?
• Feedback on this proposal would be extremely welcome
‣ Here in room
‣ Email Rick or Matt
28
![Page 29: DNSSEC for the Root Zone · DNSSEC for the Root Zone ICANN 36, Seoul 28 October 2009 Richard Lamb, ICANN Matt Larson, VeriSign 1. ... • Authorizes changes to the root zone ‣ DS](https://reader036.vdocuments.mx/reader036/viewer/2022070912/5fb41207eb2f7309ac31cd3a/html5/thumbnails/29.jpg)
Root DNSSEC Design Team
Joe AbleyDavid BlackaDavid ConradRichard LambMatt Larson
Fredrik LjunggrenDavid Knight
Tomofumi OkuboJakob Schlyter
29