Upload File

signing the root

26
DNSSEC for the Root Zone LACNIC XIII Curacao, Netherlands Antilles May 2010 Mehmet Akc cin, ICANN Tuesday, May 18, 2010

Upload: mehmet-akcin

Post on 28-Nov-2014

470 views

Category:

Technology


1 download

Report

DESCRIPTION

DNSSEC Signing the Root

TRANSCRIPT

Page 1: Signing the Root

DNSSECfor the Root Zone

LACNIC XIII Curacao, Netherlands Antilles

May 2010

Mehmet Akcin, ICANNMehmet Akcin, ICANN

Tuesday, May 18, 2010

Page 2: Signing the Root

This design is the result of a cooperation between ICANN & VeriSign withsupport from the U.S. DoC NTIA

Tuesday, May 18, 2010

Page 3: Signing the Root

Quick Recap

• 2048-bit RSA KSK, 1024-bit RSA ZSK

• Signatures with RSA/SHA-256

• Split ZSK/KSK operations

• Incremental deployment

• Deliberately Unvalidatable Root Zone (DURZ)

• more information @ www.root-dnssec.org

Tuesday, May 18, 2010

Page 4: Signing the Root

DURZ Deployment

• The Deliberately Unvalidatable Root Zone (DURZ) deployment started on 27 January.

• As of 5 May, all 13 root servers are serving the DURZ.

Tuesday, May 18, 2010

Page 5: Signing the Root

Pre-DURZ 2010-01-19 ✔

L 2010-01-27 ✔

A 2010-02-10 ✔

I,M 2010-03-03 ✔

D, E, K 2010-03-24 ✔

B,C,F,G,H 2010-04-14 ✔

J 2010-05-05 ✔

DURZ Data Collections

Tuesday, May 18, 2010

Page 6: Signing the Root

Tuesday, May 18, 2010

Page 7: Signing the Root

L-Root’s DURZ Date01/26/10

Tuesday, May 18, 2010

Page 8: Signing the Root

Tuesday, May 18, 2010

Page 9: Signing the Root

Tuesday, May 18, 2010

Page 10: Signing the Root

All Roots serving DURZ Date 05/05/10

Tuesday, May 18, 2010

Page 11: Signing the Root

Tuesday, May 18, 2010

Page 12: Signing the Root

L-Root’s DURZ Date01/26/10

Tuesday, May 18, 2010

Page 13: Signing the Root

All Roots serving DURZ Date 05/05/10

Tuesday, May 18, 2010

Page 14: Signing the Root

Tuesday, May 18, 2010

Page 15: Signing the Root

Tuesday, May 18, 2010

Page 16: Signing the Root

UDP Priming Query Ratefor the previous month

as of 2010 05 01 00:00:00

Date/Time, UTC

MAR31 APR5 APR10 APR15 APR20 APR25 APR30

Que

ries

Per S

econ

d

0

50

100

150

200

250

300

350

400

450A rootC rootD rootE rootF rootG rootH rootJ rootL rootM root

Tuesday, May 18, 2010

Page 17: Signing the Root

UDP Priming Query Ratefor the previous month

as of 2010 05 01 00:00:00

Date/Time, UTC

MAR31 APR5 APR10 APR15 APR20 APR25 APR30

Que

ries

Per S

econ

d

0

50

100

150

200

250

300

350

400

450A rootC rootD rootE rootF rootG rootH rootJ rootL rootM root

A single nameserver instance with

max-cache-ttl=0

Tuesday, May 18, 2010

Page 18: Signing the Root

DS Change Requests

• Approach likely to be based on existing methods for TLD managers to request changes in root zone.

• Anticipate being able to accept DS requests in early June.

Tuesday, May 18, 2010

Page 19: Signing the Root

Policy Update

• Updated versions of the draft KSK and ZSK DNSSEC Practice Statements (DPS) will be published shortly.

‣ Not much has changed substantively, but please read these practice statements – answers to most questions regarding DNSSEC for the Root Zone can be found in the DPS.

Tuesday, May 18, 2010

Page 20: Signing the Root

TCR Update

• Trusted Community Representative Applications were submitted between 13-24 April 2010.

• 61 Total Applications

‣ 5 from LACNIC

‣ Background checks are being completed.

Tuesday, May 18, 2010

Page 21: Signing the Root

KSK Ceremonies

• First ceremony will take a place in ICANN KSK East Coast Facility in Culpeper, Virginia

• 16 June 2010

‣ More information will be posted on website http://www.root-dnssec.org

Tuesday, May 18, 2010

http://www.root-dnssec.org
http://www.root-dnssec.org
Page 22: Signing the Root

DocumentationAvailable at www.root-dnssec.org

• Requirements

• High Level Technical Architecture

• DNSSEC Practice Statements (DPS)

• Trust Anchor Publication

• Deployment Plan

• KSK Ceremonies Guide

• TCR Proposal

• Resolver Testing with a DURZ

• DS Record Handling

• DNSSEC Key Management Implementation

Tuesday, May 18, 2010

http://www.root-dnssec.org
http://www.root-dnssec.org
Page 23: Signing the Root

Next Steps

• 2010-06-16: First Key Signing Key (KSK) Ceremony

‣ Culpeper, US (ICANN East Coast KSK facility)

• 2010-07-15: Distribution of validatable, production, signed root zone; publication of root zone trust anchor

‣ More data analysis and dodging meetings and holidays.

Tuesday, May 18, 2010

Page 24: Signing the Root

Questions & Answers

Tuesday, May 18, 2010

Page 25: Signing the Root

[email protected]

Tuesday, May 18, 2010

Page 26: Signing the Root

Root DNSSEC Design Team

Joe AbleyMehmet AkcinDavid BlackaDavid ConradRichard LambMatt Larson

Fredrik LjunggrenDave Knight

Tomofumi OkuboJakob SchlyterDuane Wessels

Tuesday, May 18, 2010


GlassFish OpenSSO CAC Authentication Deployment ... · GlassFish OpenSSO CAC Authentication Deployment Configuration Guide ... Load the OCSP Signing Certificate and DoD CA PKI Root

Rolling the Root Zone DNSSEC Key Signing Key

Rolling the Root - DNS-OARC (Indico) · 3/30/2016  · The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone • The Zone Signing Key (ZSK) signs the individual root

Signing Statements, Executive orders, Executive Agreements Signing statements:

Signing the root with DNSSEC

RSA Root Signing Service Certificate Policy · RSA Root Signing Service Certificate Policy v.3.0 RSA Security Inc. Page iii 6/7/2007 Table of Contents CERTIFICATE POLICY SUMMARY

New and Improved DocuSign Signing Experience Signing Experience... · New and Improved DocuSign Signing Experience Information Guide 6. New Signing Experience Flow . The new and improved

Root KSK Protection and Key Ceremonies - ICANN · Root KSK Protection and Key Ceremonies ICANN DNS Symposium: Madrid, Spain 13 May 2017. The Root Key Signing Key • As part of its

SPECIFIC SERVICE SIGNING › OOTS › LOGOBROCHURE.pdfThe Specific Service Signing (Logo Program) provides approved signing along designated Maryland state highways that guide the

K-Root DNSSEC Signing Plans

LACNOG Sao Paolo October 2010 Mehmet Akcin · Signing the Root LACNOG Sao Paolo October 2010 Mehmet Akcin Tuesday, October 19, 2010. AS SEEN IN ROOT and my T-Shirt. IN DS 19036 8

Saving the Internet from doom (DNSSEC and IPv6)ipv6... · DNSSEC has been difficult to deploy ‣ And why “signing the root” is considered so important — it theoretically allows

Rolling the Root Zone DNSSEC Key Signing Key · • DNSSEC has three kinds of records that, in some loose definition, hold cryptographic key data. The records exist because of the

The Day The Root Got Signed - North American … · The Day The Root Got Signed VeriSign, Inc. Root Zone Team . 2 2 Outline VeriSign’s role in signing the root zone – Key management

THE RSA ROOT SIGNING SERVICE Certification Practice ... · THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Last Revision Date:

Preparing for the Root KSK Rollover, 11 October 2017...| 3 What you need to know; changing the root key signing key •ICANN is changing (rolling) the top cryptographic key used in

Rolling the Root · Key Terms: KSK • The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone – The Zone Signing Key (ZSK) signs the individual root zone entries

Signing The Contract

DNSSEC for the Root Zone · DNSSEC Policy & Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing,

New – August 2013 Delegation of Contract Signing Authority The delegation of contract signing authority was created to provide written guidance for signing

Signing Away The Future

Rolling the Root Zone DNSSEC Key Signing Key · DNSSEC Key Management in the Root Zone ¤ DNSSEC key management is divided into: o Key Signing Key (KSK), self-signs the key set o

Urban Freeway Signing and the Freeway Signing Handbook

Signing of the twinning protocol between Larnaca and ...eanw.info/enzilkopedia/bulanov/signing-of-twinning-protocol.pdf · Signing of the twinning protocol between Larnaca and Vladimir

CCNSO MEMBERS MEETING IANA Names Function Update · 2017-11-13 · • Rolling the Root Zone Key Signing Key • Performance reporting • Customer Survey. New DNSSEC algorithm support

Jobseeker’s Allowance signing trials - Welcome to GOV.UK · PDF fileJobseeker’s Allowance Signing Trials Executive summary The standard signing regime for Jobseeker’s Allowance

Jobseeker’s Allowance signing trials · Jobseeker’s Allowance Signing Trials Executive summary The standard signing regime for Jobseeker’s Allowance (JSA) requires claimants

signing in the rain

VeriSign Root Zone Signing Proposal

cen-ETSI Signing in the cloud · ETSI ESI Workshop : Signing in the Cloud CEN Server signing TS 419 241 part 1 What is Server Signing ? 01 SERVER SIGNING This is a networked server

Rolling the Root - ICANN · • The Root Zone Key Signing Key signs the DNSKEY RR set of the root zone – The Zone Signing Key (ZSK) signs the individual root zone entries • The

“SIGNING” WITHOUT SIGNING What Estate Planners Should Know

Signing Away the American Dream - VOICE VOICE Robo-Signing... · Signing Away the American Dream A Citizen Investigation into Robo-Signing in Prince William County, Manassas, and

DNSSEC for the Root Zone · DNSSEC Practice Statement • States the practices and provisions that are employed in root zone signing and zone distribution services ‣ Issuing, managing,

Validating Digital Signatures in Adobe€¦ · Usually, the digital certificates are issued by a Root CA (Certification Authority). If the Root CA that issued the signing certificate