Safer DNSSEC Implementation for Critical Zones

Safer DNSSEC Implementation for Critical Zones
Slide Note
Embed
Share

This content discusses the challenges and strategies for implementing DNSSEC in critical zones to ensure a secure and reliable DNS infrastructure. Topics include DNSSEC enrollment, DS record management, and the importance of automated processes for maintaining integrity. The presentation emphasizes the need for feedback from Registry Operators and outlines steps to enhance security in DNS operations.

  • DNSSEC
  • Security
  • Critical Zones
  • Automation
  • Registry Operators
fase863
fase863 Follow

Uploaded on Mar 08, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Safer DNSSEC Viktor Dukhovni Google Public DNS Presented at OARC39 Workshop [ Based on ICANN75 talk ]

  2. Agenda DNSSEC Today Critical zones Safer DNSSEC Next steps: plea for feedback from Registry Operators (and others) 2

  3. DNSSEC Enrollment Today Child zone DNS operator signs the zone Low risk, increasingly well automated, including ZSK rollovers Some operators sign most customer zones by default May also partly automate KSK rollovers by publishing CDS and waiting for matching DS Registrant communicates associated DS or DNSKEY records to Registrar Can be tedious and error prone Often neglected when DNS operator != Registrar Registrar submits DS (or DNSKEY) records to registry Long DS TTLs leave little slack for errors: High risk of sustained down time Poorly executed backout also risky Often no validation by either the registry or registrar 3

  4. Sign and Pray Upload DS records into parent zone via registrar, often clunky web form Hope DS records are entered correctly Hope zone is correctly signed Hope no unexpected authoritative nameserver bugs Hope no critical applications or users adversely affected (latent bug) No possibility of timely rollback Parent-side DS records often have one or two day TTLs How quickly can bad records be removed or updated? No parent-side DS validation gTLD registries obliged to publish DS records that brick your zone Critical production zones reluctant to deploy DNSSEC 4

  5. 5

  6. Critical zones Users and customers rely on and expect always on service Each minute of downtime carries substantial costs Disdain changes that can t be rolled out regionally and progressively Instill a roll back first, debug later culture Critical production zones reluctant to deploy DNSSEC 6

  7. Safer DNSSEC Short initial DS RRset TTLs Prompt DS rollback and update Pre-publication DS validation 7

  8. Short initial DS TTLs (Registry) DS RRsets get a short initial TTL after any change Not just when zone is first delegated signed Initial TTL as low as ~60s! TTL can grow (incrementally or just once) when resigned unchanged Resigning could be expedited (hours rather than days) while the TTL is low Opt-in or default for all delegations? Is there a role for signalling from the child zone? Via TTL of CDS or DNSKEY RRsets? 8

  9. Prompt rollback (Registry and Registrar) At most minutes to remove DS or update to prior working state Presumes short TTL to be effective Naturally implies prompt signing of new NSEC/NSEC3 record if DS is removed, or new DS RRSIG if DS updated (note, subject to validation!) Not compatible with Infrequent whole zone signing Is timeliness adequately covered under existing registry SLAs? e.g. ICANN gTLD requirements? 9

  10. Pre-publication DS validation Reject DS changes that invalidate child zone Via any of its (active) servers With respect to any of the signalled algorithms Should registrar staple validated CDS in-lieu of registry probing? Should validation be opt-in for some or default for all child zones? Should matching CDS be required to confirm DS changes? Too strict as default, would require prior opt-in Should NS and glue changes also be pre-validated? How does this relate to registry lock? [ A precedent for limited direct Registry to Registrant relationship ] 10

  11. Next Steps and request for feedback What else would be a practical means to reduce deployment risk? Looking for assistance and feedback Primarily Registry Operators (gTLD and ccTLD) ICANN Auth zone operators Critical zone registrants The DNS community 11

  12. Thank You. Q&A Related effort: https://datatracker.ietf.org/meeting/114/materials/slides-114-dnsop-slides- 114-dnsop-dry-run-dnnsec-00 DNSSEC (and DANE SMTP) deployment statistics: https://stats.dnssec-tools.org DANE DNSSEC running commentary: https://twitter.com/VDukhovni/with_replies 12

Related


Enamel Caries: Zones and Histopathology

Enamel Caries: Zones and Histopathology

ellie
Earth's Heat Zones and Celestial Events Explained

Earth's Heat Zones and Celestial Events Explained

zev
Qualified Opportunity Zones Tax Benefits

Qualified Opportunity Zones Tax Benefits

morris
Subdivision Analysis for Load Zones Optimization

Subdivision Analysis for Load Zones Optimization

anders
Challenges Faced in DNSSEC Deployment by Geoff Huston at APNIC June 2016

Challenges Faced in DNSSEC Deployment by Geoff Huston at APNIC June 2016

seraphine
Guidelines for Quarantine and Movement Control Zones and Premises

Guidelines for Quarantine and Movement Control Zones and Premises

eliel
DANE, DNSSEC, and TLS in Go6Lab

DANE, DNSSEC, and TLS in Go6Lab

kasz640
Mastering Safer Sex Negotiation for Sexual Health

Mastering Safer Sex Negotiation for Sexual Health

michal_m
Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

Enhancing WHOIS Updates with DNSSEC, ASPLAIN, and Abuse Contact Implementation

lash_9
Export Marketing and Promotion Organizations in India

Export Marketing and Promotion Organizations in India

khiarac
Distribution Pattern of River Zones in China

Distribution Pattern of River Zones in China

wite691
STIs and Safer Sex Awareness Jeopardy Game

STIs and Safer Sex Awareness Jeopardy Game

hol_mc
Evolution of DNSSEC Implementation at Nominet

Evolution of DNSSEC Implementation at Nominet

hieu_7
Target Heart Rate Zones for Optimal Exercise Benefits

Target Heart Rate Zones for Optimal Exercise Benefits

nie_wag
SaudiNIC's Experience in Deploying DNSSEC

SaudiNIC's Experience in Deploying DNSSEC

pray
DNSSEC: Adding Digital Signatures to DNS Responses

DNSSEC: Adding Digital Signatures to DNS Responses

sdaco
Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

Evaluation of Ed25519 Cryptography Performance in DNSSEC Validation

lresc
Trip Rates and Balancing Productions and Attractions in Urban Planning

Trip Rates and Balancing Productions and Attractions in Urban Planning

daro186
Candle Flame Temperature through Color Zones Model

Candle Flame Temperature through Color Zones Model

keadonr
Evolution of ARIN: RPKI and DNSSEC Implementation

Evolution of ARIN: RPKI and DNSSEC Implementation

rboye
Innovative Road Safety Campaigns to Promote Safer Traffic Worldwide

Innovative Road Safety Campaigns to Promote Safer Traffic Worldwide

ndema
Opportunity Zones in Rural Indiana: Driving Investments in High-Need Communities

Opportunity Zones in Rural Indiana: Driving Investments in High-Need Communities

geer484

More Related Content