Internet Corporation forAssigned Names & Numbers

Interim Trust Anchor Repository and UpdateAmsterdam, NetherlandsMay 2009

Interim Trust Anchor Repository

‣ A mechanism to publish keys of top-level domains thatcurrently implement DNSSEC

‣ If the root zone is DNSSEC signed, such a repository isunnecessary

‣ Therefore this is a stopgap measure

‣ Current plan is to decommission when the root is signed

Benefits

‣ Fully meets a set of recommendations provided byRIPE

‣ Simple to use for both top-level domain operators, andend users.

‣ Works with different DNS software, different protocols,etc. Non proprietary.

‣ Almost fully automated

‣ Helps DNSSEC deployment

itar.iana.org

Experiences

‣ TLD managers are frequently approving trust anchorsthat are wrong.‣ They don’t get listed because we check for matching

DNSKEY records‣ Except one, our bug: we didn’t compare algorithm type of DS

versus algorithm type of DNSKEY‣ Suggests no-one is actually checking the digests before

“approving” during the review phase‣ Were running ITAR privately for a couple of months -

asking TLDs to test and upload their anchors.‣ No real activity until it was publicly announced.

Requests from the community

‣ Ability to suppress NSEC3 records (done)

‣ Prohibit SHA1 digests

‣ Change to accepting DNSKEY records, not DS records

ICANN DNSSEC Update‣ We have been asked by the community - uk, .nz, .nl, .cz,

…, APNIC, ccNSO, RIPE and industry Google, Comcast,Intel, Paypal… - to sign the root.

‣ “Revelations” from the outside regarding DNSSEC

‣ I hear you can do cool things with DNSSEC

‣ Alternate/free source of trust for‣ spam filtering (DKIM)‣ free https:// certificates (SSL),‣ secure networking and authentication (IPSEC, SSHFP),‣ and …. who knows?‣ ….but you tell me

Why deploy DNSSEC?

‣ need to make DNSSEC deployable today

‣ "DNSSEC is the key to fixing the persistent authenticationproblems plaguing real-world, cross-organizationalbusiness for years,”

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=214501924&cid=RSSfeed

Behind ourtestbed

SIGNER

SIGNER

HSMKSK

HSMZSK

NSNS

TEST A

TESTM

ADMIN

RZM

ROOTDB

CLASS 5GSA NSASAFE

DUPLICATETO 2-3

INSTANCES

I-TAR

TLDOPERATO

RS

ns.iana.org

pch-test.iana.orgAnycast

SIGNER, NS:DELL 1950 /w2xPS, 2XSAS,2xCPU

HSM: AEPKEYPER FIPS140-2 Level 4(Disposable)

208.77.188.32

System status at:https://ns.iana.org/dnssec/status.html .arpa, in-addr.arpa, ip6.arpa, iris.arpa, urn.arpa, uri.arpa, .int,xn-”test” (DS: .se, .br, .bg, .pr, .cz, .th .museum,.gov.)

24 hr mannedmultiplebiometriccontrolledfacility, NSANSTISSP #10,GSA Class 5Container(approved forTop Secret)

10.0.1.X

10.0.2.X

204.61.216.37

TLDDATA

VETTING

PROCESS

199.7.81.10 199.7.81.15

F/W 2-factor auth forRZM

BOS

AMS

MIA

LAX

WATCHDOGSITES

TSIG

TLD OPERATORS

AND/OR

GOVERNMENTS

EXISTINGTRUSTRELATIONSHIPS

149.20.64.22 publicrecursive resolver

iana-testbed.odvr.dns-oarc.net

208.78.70.92,204.13.250.92,208.78.71.92,204.13.251.92Iana*.dyntld.net

Anycast

Go Ahead – Test It!‣ Public caching recursive validating DNSSEC name server at

149.20.64.22 (SFO). Thank you OARC / Duane!…and66.165.162.24 (MIA)

‣ See https://ns.iana.org/dnssec/status.html

‣ Masters:‣ 208.77.188.32 (ns.iana.org)

‣ anycast 204.61.216.37 (pch-test.iana.org) in Cairo, Nairobi,Johannesburg, Perth, Sydney, Dhaka, Jakarta, Hong Kong,Tokyo, Kuala Lumpur, Kathmandu, Auckland, Manila, Singapore,Paris, Frankfurt, Munich, Beirut, Amsterdam, Stockholm, London,Buenos Aries, Sao Paulo, Toronto, Puerto Rico, Boston, Seattle,Miami, etc... alongside some root servers. Thank you PCH.net!

‣ anycast 208.78.70.92, 204.13.250.92, 208.78.71.92,204.13.251.92 in Ashburn, VA; Chicago, IL; Palo Alto, CA; London, UK;Amsterdam, NL; Frankfurt, DE; Hong Kong, HK...alongside TLDservers. Thank you dyntld.com!

Opportunity

‣ If deployed DNSSEC:‣ Will be a critical tool in combating the global

nature of cyber crime allowing cross-organizational and trans-national authentication

‣ Can be an integral part of any cyber securityarsenal

‣ As a global security federation will be a platformfor cyber security innovation and internationalcooperation

Upcoming Event‣ Symposium on Deploying a Signed Root: Issues and Proposed

Solutions DNSSEC Coalition, June 11-12 DC‣ Key Distribution‣ Key Rollover‣ Trust and Transparency‣ Impact on ISPs and Resolvers‣ Contingency Plans

Thanks!