1 / 28

DNS operator/registrar changes toolkit of actions

DNS operator/registrar changes toolkit of actions. Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26. Outline of presentation. DNS operator change toolkit and analysis DNSSEC operations changes toolkit DNSSEC operator change implications Different paths for DNSSEC operator changes

wayne-neal
Download Presentation

DNS operator/registrar changes toolkit of actions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS operator/registrar changestoolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26

  2. Outline of presentation • DNS operator change toolkit and analysis • DNSSEC operations changes toolkit • DNSSEC operator change implications • Different paths for DNSSEC operator changes • R2 + R3 implications • Fitting to paths to different registries.

  3. Ground rules: Respect DNS properties • Creating DNS process that are universal • Only talk about DNS visible actions • Communication path to parent ignored • Communication with registrar ignored • Only talk about DNS roles • Parent • Old and New Operator Once we understand DNS effects we can map additional communication and parties into the processes

  4. Notation used • Lower case: contents from old operator • Upper case: contents from new operator • kK: Key Signing Keys • zZ: Zone Signing Keys • nN: Nameserver sets • dD: DS records pointing to k or K respectively • rR: DNS data • r(z) : Rrset signed by z, (from old operator)

  5. Timing issues • All waits are expressed as TTL of an RRset • Actually the timer starts once the LAST name server for that operator reflects the change • When a rule has a MAX that covers TTL’s from two operators (parent and child) the second parties TTL has the delay to perform the action added to the value • We assume parent will perform actions before child for simplicity reasons but in some cases the order can be the order does not matter.

  6. Simple DNS Operator Change:NOT TRUE • O-1: New Operator sets up servers with zone contents • O-2: Parent changes NS to point to new operator • O-3: Old operator possible actions • O-3.1 Changes NS to new operator • O-3.2 Lowers TTL on NS • O-3.3 Turns off service • Combination O-3.1 + O.3.3 or O.3.2 + O.3.3 • O-3.4 Does nothing and keeps serving (BAD)

  7. DNS Operator change: (cont) Path 1: Turn off BLUE: New Operator Red: Parent Green: Old Operator Orange: Time to wait as TTL of Rrset Simple arrow: Precedence O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child)

  8. DNS Operator change: (cont)Path 2: Lower TTL O-3.1 NS Child NS O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child)

  9. DNS Operator change: (cont)Path 3: Changes NS set O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child) Child NS O-3.2 TTL

  10. DNS Operator change: (cont)Path 4: Continues Service O-1 Zone O -2 NS O-3.4 Keeps

  11. DNS Operator change: (cont)All alternative paths O-3.1 NS Child NS O-1 Zone O -2 NS O-3.3 Stops Max(NS Par, NS Child) Child NS O-3.2 TTL O-3.4 Keeps

  12. Effects of operator behavior on resolvers that know domain Child sticky resolver == Resolver that uses NS set from child AND extends TTL each time it sees a new copy of the NS set. (TTL stretching)

  13. Predictable DNS operator change • We need know/find out how the old operator will behave during the process • Cooperative: • O-3.1 + O-3.3 • or O-3.2 + O-3.3 • Minimally cooperative: • O-3.3. upon request • Un-cooperative: • O-3.4 • or O-3.3 at random time

  14. DNSSEC zone operations • DNSSEC complicates life somewhat • In following slides express the actions performed in each of following operations • Roll over Zone Signing Key (dual key) • Roll over Key Signing Key (single KSK, dual DS) • Turn on DNSSEC for a zone • Turn off DNSSEC for a zone • DNSSEC operator change builds upon all these

  15. DNSSEC in nutshell • Trust chain • DS DNSKEY  RRSIG • DS  KSK  ZSK  RRSIG • Referral chain • NSp, DS  NSc, DNSKEY  RR  RRSIG • NSp == NS set from parent • NSc== NS set from child

  16. Key rollover: Z-1..5ZSK change z  Z • Actions • Z-1: Generate Z • Z-2: Add Z to DNSKEY RRset • Wait > DNSKEY TTL • Z-3: Sign first RRset with Z • Z-4: Sign last RRset with Z • Wait MAX TTL, largest TTL in the zone • Z-5: Remove z from DNSKEY set DK RR kzrz kzZrz kzZrz,rZ kzZrZ kZrz

  17. KSK rollover: K-1..4 k  K dual DS single KSK Chi Par kz d KzdD KzZdD KzrZ Kz D • Actions • K-1: Generate K calculate D • K-2: Add D to DS in parent • Wait DS TTL • K-3: Replace k with K in DNSKEY RRset and sign with K • Wait Max(DS TTL, DNSKEY TTL) • K-4: Remove d from DS

  18. Going signed S-1..3 Chi RD Par kz r kzrz kzrz D • S-1: Set up keys • Z-1 + Z-2 • K-1 + K-3 • Wait: Negative TTL for zone • S-2: Sign zone • Z-3 + Z-4 • Wait: MAX TTL in zone • S-3: create Trust path/ Add DS • K-2

  19. Going Unsigned: U-1..3 Chi RD Par kzrz d Kzrz - kz r - r • Actions • U-1: Remove DS from parent • Wait: DS TTL + DNSKEY TTL • U-2: Remove signatures from zone • Wait: MAX TTL in zone • U-3: Delete DNSKEY RRset.

  20. DNSSEC Paths for operator change • 3 basic paths possible • Going Unsigned  DNSSEC is turned off and will not be turned on again (Undesirable but dictated by new operator capabilities) • Intermediate unsigned step  DNSSEC trust chain is broken during the change but DNSSEC will be turned on again after operator change • Ripple free  DNSSEC validation works throughout the whole operator change process • Ripple free is our goal, but the second one is needed when old operator is not cooperative.

  21. Ripple Free DNSSEC preconditions • Old operator • is DNSSEC capable • Is cooperative (O-3.3 upon request) • Will do O-3.1 (or O-3.2) • Will add Z to DNSKEY set • Parent • Will accept DS for a key not in DNSKEY • New operator • Is DNSSEC capable • No sharing of keys

  22. Signed  Unsigned operator change Actions • New brings up zone • O-1 • Parent deletes DS • U-1 • Parent changes NS • O-2 • Wait: MAX(parent NS, old child NS) • Old Phases out • O-3 • Done

  23. Going Unsigned operator change 4 NS change 4 Old turns off 1. DS del Child NS DS +DNSKEY Max(cNS, pNS) 5 Done 3 NS changed 2 New sets up

  24. Signed -> Unsigned  Signed operator change Actions • New brings up zone • O-1 • Parent deletes DS • U-1 • Wait: DS + DNSKEY TTL • Parent changes NS • O-2 • Wait: MAX(parent NS, old child NS) • Old Phases out • O-3 (O-3.1 + O-3.3 or O-3.1 + O-3.2) • Parent inserts DS • K-4 • Done

  25. Signed -> Unsigned -> Signed operator change 4a NS change 4b Stops 1 Del DS cNS DS + DNSKEY MAX( cNS, pNS) 3 NS change cNS MA X TTL 2 New zone 5 Add DS DS 6 Done

  26. Ripple Free operator change Actions • New brings up zone • O-1, Z-1, Z-3, Z-4, K-1, K-3 • Old add Z to DNSKEY • Z-2 • Parent adds D to DS • K-2 • Parent changes NS • O-2 • Wait: MAX(parent NS, old child NS) • Old Phases out • O-3.1 + O-3.3 • Parent deletes d from DS • K-4 • New deletes z from DNSKEY • Z-5 • Done

  27. Ripple free DNSSEC operator change 2 Old adds Z 4 NS change oDNSKEY 1 New sets up DS 3 Parent adds D Max(cNS, pNS) 7 delete z nDNSKEY 8 Done MAX-TTL 5.b Old Stops 5.a NS Change cNS DS 6 delete d oDNSKEY

  28. Shortest Time of paths • DNS only operator change: • A = max(cNS, pNS) • Going Unsigned: • B = A + DS + DNSKEY • Broken trust chain • C = DS + DNSKEY + max(A + cNS, MAX-TTL) • Ripple Free: • D = B + max(Max-TTL+ oDNSKEY, DS+ DNSKEY)

More Related