Top Banner
KSK Sentinel KSK Sentinel DNSSEC, .PR 201803 v0.2 draftietfdnsopkskrollsentinel Geoff Huston Geoff Huston Joao Silva Damas Joao Silva Damas Warren Kumari Warren Kumari 1
10

KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

Apr 25, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

KSK SentinelKSK Sentinel

DNSSEC, .PR ­ 2018­03 v0.2

draft­ietf­dnsop­kskroll­sentinel

Geoff HustonGeoff Huston Joao Silva DamasJoao Silva Damas

Warren KumariWarren Kumari

1

Page 2: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

What's the problem?What's the problem?

We need want to roll the DNSSEC trust-anchor (KSK)Users with a validating resolver that doesn't havethe new KSK  break; everything looks BOGUSWe have no way of measuring deployment, and sodon't know who (and how many!) will break

2

Page 3: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

Wait! RFC8145?!Wait! RFC8145?!

Sadly, no.This provides reporting from resolvers

I have a validating resolver in my basement...it doesn't have the new key :-(but no-one is using it :-)If a resolver falls in the forest, but no-one is usingit, does it matter?!

3

Page 4: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

Pretty graphs!Pretty graphs!

??4

Page 5: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

SentinelSentinel1. Requires a (simple) resolver update2. Allows anyone to set up a measurement service3. Exposes the result to the users

The changeThe changeJust before sending the response (after resolution, validation):

If have the key, reply normally, else SERVFAIL

If do NOT have the key, reply normally, else SERVFAIL

kskroll­sentinel­is­ta­[key].something?

kskroll­sentinel­not­ta­[key].something?

5

Page 6: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

ExampleExampleI'm a validating resolver. I support sentinel.I have the new KSK (20326)I get a query for invalid.example.com

It fails DNSSEC validation - SERVFAILI get a query for

I resolve it and get 192.0.2.23I have (and am using) KeyID 20326

answer with 192.0.2.23 I get a query for

I do have (and am using) KeyID 20326send SERVFAIL

kskroll­sentinel­is­ta­20326.example.com

kskroll­sentinel­not­ta­20326.example.com

6

Page 7: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

Yawn. So what?!Yawn. So what?!

Fish? Not validating, key-roll doesn't affect you.Kitten and Puppy? Legacy, we cannot tell.Kitten? You have the new key, you'll be fine.Puppy? DANGER! You only have the old key.

Do you see:

7

Page 8: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

Srsly? Kittens?!Srsly? Kittens?!Sadly, no...

8

Page 9: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

...but kittens!!!...but kittens!!!Sorry, still no... :-(

Demo: http://www.ksk-test.net:

9

Page 10: KSK Sentinel - indico.dns-oarc.net€¦ · We need want to roll the DNSSEC trust-anchor (KSK) Users with a validating resolver that doesn't have the new KSK break; everything looks

QuestionsQuestions??

10


Related Documents
Leaflet Profil KSK Biogama

Leaflet Profil KSK Biogama

Category: Documents
USTEK KSK MUARO JAMBI

USTEK KSK MUARO JAMBI

Category: Documents
Testing DNS Performance limits - indico.dns-oarc.net fileTesting DNS Performance limits the Final Chapter Research by ISC for CAIDA Funded by NSF David Boggs, lead investigator Brian

Testing DNS Performance limits - indico.dns-oarc.net...

Category: Documents
Technical Diary Turbine Ksk

Technical Diary Turbine Ksk

Category: Documents
Thorweseten: KSK, Ausländersteuer

Thorweseten: KSK, Ausländersteuer

Category: Documents
KSK No19 3 - bi.go.id

KSK No19 3 - bi.go.id

Category: Documents
KSK SS013 COLLECTION

KSK SS013 COLLECTION

Category: Documents
Internship Report KSK Associates

Internship Report KSK Associates

Category: Documents
Ksk guidelines 050312

Ksk guidelines 050312

Category: Health & Medicine
Bahan Tayang KSK

Bahan Tayang KSK

Category: Documents
Ksk 3202 Bt Manual

Ksk 3202 Bt Manual

Category: Documents
KARSIYAKA ve KSK TARiHi

KARSIYAKA ve KSK TARiHi

Category: Documents