Upload
florence-hunter
View
216
Download
0
Embed Size (px)
Citation preview
DNS operator/registrar changestoolkit of actions
Steve CrockerÓlafur Guðmundsson
Shinkuro2011/03/26
Outline of presentation
• DNS operator change toolkit and analysis
• DNSSEC operations changes toolkit• DNSSEC operator change implications • Different paths for DNSSEC operator changes• R2 + R3 implications • Fitting to paths to different registries.
Ground rules: Respect DNS properties
• Creating DNS process that are universal– Only talk about DNS visible actions – Communication path to parent ignored – Communication with registrar ignored
• Only talk about DNS roles– Parent– Old and New Operator
Once we understand DNS effects we can map additional communication and parties into the processes
Notation used
• Lower case: contents from old operator • Upper case: contents from new operator• kK: Key Signing Keys • zZ: Zone Signing Keys• nN: Nameserver sets • dD: DS records pointing to k or K respectively• rR: DNS data • r(z) : Rrset signed by z, (from old operator)
Timing issues
• All waits are expressed as TTL of an RRsetActually the timer starts once the LAST name
server for that operator reflects the change When a rule has a MAX that covers TTL’s from
two operators (parent and child) the second parties TTL has the delay to perform the action added to the valueWe assume parent will perform actions before child for
simplicity reasons but in some cases the order can be the order does not matter.
Simple DNS Operator Change:NOT TRUE
• O-1: New Operator sets up servers with zone contents
• O-2: Parent changes NS to point to new operator• O-3: Old operator possible actions– O-3.1 Changes NS to new operator– O-3.2 Lowers TTL on NS– O-3.3 Turns off service – Combination O-3.1 + O.3.3 or O.3.2 + O.3.3 – O-3.4 Does nothing and keeps serving (BAD)
DNS Operator change: (cont) Path 1: Turn off
O-1 Zone
O -2 NS
O-3.3 StopsMax(NS Par, NS Child)
BLUE: New OperatorRed: Parent Green: Old OperatorOrange: Time to wait as TTL of RrsetSimple arrow: Precedence
DNS Operator change: (cont)Path 2: Lower TTL
O-1 Zone
O -2 NS
O-3.1 NS
O-3.3 StopsMax(NS Par, NS Child)
Child NS
DNS Operator change: (cont)Path 3: Changes NS set
O-1 Zone
O -2 NS
O-3.3 Stops
O-3.2 TTL
Max(NS Par, NS Child)
Child NS
DNS Operator change: (cont)Path 4: Continues Service
O-1 Zone
O -2 NS
O-3.4 Keeps
DNS Operator change: (cont)All alternative paths
O-1 Zone
O -2 NS
O-3.1 NS
O-3.3 Stops
O-3.2 TTL
Max(NS Par, NS Child)
Child NS
O-3.4 Keeps
Child NS
Effects of operator behavior on resolvers that know domain
Name Action When affected
Disruptive O-3.3 < max( Parent NS TTL, Child NS TTL) All types of resolvers
Big ripple O-3.3 > Max( Parent NS TTL, Child NS TTL) Many Child sticky
Small ripple O-3.2 After parent changes
O-3.3 > Max(Parent NS TTL, time of 3.2 + Child old NS TTL)
Few child sticky
Ripple free O-3.1 After parent changes
O-3.3 > Max(Parent NS TTL, time of 3.1 + Child old NS TTL)
None
Disjoint O.3.4 Some child sticky
Child sticky resolver == Resolver that uses NS set from child AND extends TTL each time it sees a new copy of the NS set. (TTL stretching)
Predictable DNS operator change
• We need know/find out how the old operator will behave during the process– Cooperative:• O-3.1 + O-3.3 • or O-3.2 + O-3.3
– Minimally cooperative: • O-3.3. upon request
– Un-cooperative: • O-3.4 • or O-3.3 at random time
DNSSEC zone operations
• DNSSEC complicates life somewhat • In following slides express the actions
performed in each of following operations– Roll over Zone Signing Key (dual key) – Roll over Key Signing Key (single KSK, dual DS) – Turn on DNSSEC for a zone – Turn off DNSSEC for a zone
• DNSSEC operator change builds upon all these
DNSSEC in nutshell
• Trust chain – DS DNSKEY RRSIG – DS KSK ZSK RRSIG
• Referral chain – NSp, DS NSc, DNSKEY RR RRSIG• NSp == NS set from parent• NSc == NS set from child
Key rollover: Z-1..5ZSK change z Z
• Actions– Z-1: Generate Z– Z-2: Add Z to DNSKEY RRset• Wait > DNSKEY TTL
– Z-3: Sign first RRset with Z– Z-4: Sign last RRset with Z • Wait MAX TTL, largest TTL in the zone
– Z-5: Remove z from DNSKEY set
DK RRkz rzkzZ rz
kzZ rz,rZkzZ rZ
kZ rz
KSK rollover: K-1..4 k K dual DS single KSK
• Actions– K-1: Generate K calculate D– K-2: Add D to DS in parent • Wait DS TTL
– K-3: Replace k with K in DNSKEY RRset and sign with K • Wait Max(DS TTL, DNSKEY TTL)
– K-4: Remove d from DS
Chi Parkz dKz dD
KzZ dDKz rZ
Kz D
Going signed S-1..3
• S-1: Set up keys – Z-1 + Z-2– K-1 + K-3• Wait: Negative TTL for zone
• S-2: Sign zone – Z-3 + Z-4• Wait: MAX TTL in zone
• S-3: create Trust path/ Add DS– K-2
Chi RD Par
kz r
kz rz
kz rz D
Going Unsigned: U-1..3
• Actions– U-1: Remove DS from parent • Wait: DS TTL + DNSKEY TTL
– U-2: Remove signatures from zone• Wait: MAX TTL in zone
– U-3: Delete DNSKEY RRset.
Chi RD Parkz rz d Kz rz -
kz r
- r
DNSSEC Paths for operator change
• 3 basic paths possible– Going Unsigned DNSSEC is turned off and will not be
turned on again (Undesirable but dictated by new operator capabilities)
– Intermediate unsigned step DNSSEC trust chain is broken during the change but DNSSEC will be turned on again after operator change
– Ripple free DNSSEC validation works throughout the whole operator change process
• Ripple free is our goal, but the second one is needed when old operator is not cooperative.
Ripple Free DNSSEC preconditions
• Old operator – is DNSSEC capable – Is cooperative (O-3.3 upon request)
• Will do O-3.1 (or O-3.2) • Will add Z to DNSKEY set
• Parent – Will accept DS for a key not in DNSKEY
• New operator– Is DNSSEC capable
• No sharing of keys
Signed Unsigned operator change
Actions1. New brings up zone – O-1
2. Parent deletes DS – U-1
3. Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS)
4. Old Phases out– O-3
5. Done
Old Par New
0 kz,n,rz D,n
1 N,R
2 n
3 N
4 X
5 N N,R
Going Unsigned operator change
1. DS del
2 New sets up
3 NS changed
4 NS change
5 Done
DS +DNSKEYMax(cNS, pNS)
Child NS4 Old turns
off
Signed -> Unsigned Signed operator change
Actions1. New brings up zone
– O-1
2. Parent deletes DS – U-1– Wait: DS + DNSKEY TTL
3. Parent changes NS – O-2 – Wait: MAX(parent NS, old child NS)
4. Old Phases out– O-3 (O-3.1 + O-3.3 or O-3.1 + O-3.2)
5. Parent inserts DS• K-4
6. Done
Old Par New
0 kz,n,rz
d,n
1 N,KZ, RZ
2 n
3 N
4 X
5 N,D
6 N,D N,KZ, RZ
Signed -> Unsigned -> Signed operator change
1 Del DS
4a NS change
2 New zone
3 NS change
5 Add DS
6 Done
DS + DNSKEY
MA X TTL
DS
4b Stops
cNS
MAX( cNS, pNS) cNS
Ripple Free operator change Actions1. New brings up zone
• O-1, Z-1, Z-3, Z-4, K-1, K-3
2. Old add Z to DNSKEY• Z-2
3. Parent adds D to DS • K-2
4. Parent changes NS • O-2 • Wait: MAX(parent NS, old child NS)
5. Old Phases out• O-3.1 + O-3.3
6. Parent deletes d from DS• K-4
7. New deletes z from DNSKEY • Z-5
8. Done
Old Par New
0 kz,n,rz d,n
1 N,KZz, RZ
2 kzZ,n, rz n
3 n,dD
4 N,dD
5 X
6 N,D
7 N,KZ, RZ
8 N,D N,KZ,RZ
Ripple free DNSSEC operator change
1 New sets up
5.b Old Stops
2 Old adds Z
3 Parent adds D
6 delete d
4 NS change
7 delete z
oDNSKEY
DS
MAX-TTL 8 Done
oDNSKEYDS
5.a NS Change cNS
Max(cNS, p
NS)
nDNSKEY
Shortest Time of paths
• DNS only operator change: • A = max(cNS, pNS)
• Going Unsigned: • B = A + DS + DNSKEY
• Broken trust chain • C = DS + DNSKEY + max(A + cNS, MAX-TTL)
• Ripple Free: • D = B + max(Max-TTL+ oDNSKEY, DS+ DNSKEY)