DNS/DNSSECandDomainTransfers:Aretheycompa:ble ?

OlafurGudmundssonSteveCrockerShinkuroinc.

{ogud,steve}@shinkuro.com

Background

•  ShinkurowasaskedbyORGtolookintohowDNSSECaffectstransfersofsigneddomains,–  Inpar:cularwhenRegistraroperatestheDNSservicefortheDomainholder.

•  Wehavespendmanymonthsworkingoutsolu:onsthatfitintotherealworld– RunningDNSSECtransfertestswithearlyadop:ngregistrarsfororg.

3/9/10 DNSandDNSSECoperatorchanges 2

Approach

•  Thispresenta:onisfromtheperspec:veoftheDNSprotocol,DNSsoUwareandisaimedathighligh:ngtherealworldissues.

•  Goals:– Eliminateand/orminimizeDNSresolu:onerrorsandservicecalls

– Minimizeworkby“old”operators

3/9/10 3DNSandDNSSECoperatorchanges

Approach(cont)

•  Assump:ons:– Allpar:esarewillingtobeminimallycoopera:ve.

• Withoutcoopera:onDNSresolu:onerrors

– OnlyDNSisbeingchangedallotherservicesareignored.

3/9/10 4DNSandDNSSECoperatorchanges

Approach(cont)

•  HowthebehaviorofcertainDNSarchitecturalelementsaffectthesteps,atthe:meof:

•  DNSoperatorchange•  Registrartransfer•  DNSSECkeychange

•  WhatDNScomponentsneedtobetakenintoaccountwhenchangingoperators

•  Parent/Registry/Registrarbehavior•  Authorita:veserverbehavior•  Resolver’sbehavior•  TTLvaluesandimpact

3/9/10 DNSandDNSSECoperatorchanges 5

RolesandNota:on•  Domainholder:(H)

–  Theen:tythathastheregistra:onforadomain•  DNSoperator:(O=old)(N=new)

–  OperatestheDNSserversforthedomainandmaintainsthezone•  Registrar:(R)

–  ThepartythattheDomainholderhascontractedwithtoregisterthedomain•  FromH’sperspec:veRegistryisnotvisible.

•  Parent:–  TheDNSdomainthathasthedelega:ontothezone

•  ContentProvider:–  Ignoredinthispresenta:on

•  Red=ERROR,Blue=Op:onal,Orange=notdesired/par:alfailure

3/9/10 6DNSandDNSSECoperatorchanges

DNScontrolplanefordomains:Recordtypes

•  NSliststhesetofhoststhatactasauthorita:venameserversforazone–  Appearsintwoplaces

•  asahintintheparent,unsigned•  Authorita:veinthechild,signed.

•  DNSKEYthekey(s)thatcansignthedatainthezone,–  Residesatthechildsizeofthedelega:on

•  DSthekey(s)authorizedtosignthechildDNSKEYset–  Residesattheparentsideofthedelega:on,signedbyparent.

3/9/10 7DNSandDNSSECoperatorchanges

Simplifiedmodel

•  Newoperatorcreatesandloadsazone– Dataisavailablebutnotvisibleasparentpointstooldoperator.

•  MomentofDNSchange:– WhenparentchangesNSsettopointtonewoperator.

•  Newoperator’sdatabecomesvisible

– BUT3/9/10 8DNSandDNSSECoperatorchanges

Complica:on#1:TTL

•  AllDNSRRsetscanbestoredandreusedbyDNSresolvers/cachesforcertain:meaUerrecep:on.– Resolversthatknowaboutoldoperatorwillkeepaskingoldoperatorun:ltheNSsetexpiries.•  Un:lNSsetexpirestheonlyreasonforresolvertoaskparentanyques:onaboutthedomainistorefreshtheDSrecord.

3/9/10 9DNSandDNSSECoperatorchanges

DNSOperatorChange:whathappens

Parent

Resolver

NewOld

Before

During

AUer

Complica:on#2:Resolverbehaviors

•  Centricity:•  SomeresolversonlyusetheNSsetfromthechild•  Othersjustusetheonefromtheparent

•  TTLstretching:•  Whenaniden?calcopyofacachedRRsetfromthesamesourceisseen–  someresolversusethenewcopytorefreshtheTTL

–  resolverscanbes:ckytooldoperator.•  Errorrecovery:

•  EvenwhenNONEoftheauthorita:veserversanswersresolverswillnotaskparentfornewercopyofNS.–  Thisiscommonoperatormistake/…….–  askingparentrepeatedlywillonlyyieldsamebaddata,

»  Onlycausesextraload

3/9/10 11DNSandDNSSECoperatorchanges

DNSoperatorchange(script)

•  Domainholder(H)isusingOasDNSoperator•  HasksNtobecomenewDNSoperator•  HassistsNininstan:a:ngacopyofthezone

–  Omayormaynotbeinvolved.•  NgivesHanewNSset.•  HviaR(registrar)tochangestheNSsettopointtoN•  HasksOtochangeitsNSsettoN’s

–  Thisisop:onalforO•  HwaitsforoldcopiesofNSsetstoexpirei.e.newNSsetto

becomegloballyvisible.•  HasksOtostopDNSservice

–  Oshouldstopserviceassoonaspossible.

3/9/10 12DNSandDNSSECoperatorchanges

Whatcangowrong:

•  IfOstopsservicebeforeparentNSischanged:–  TotalDNSfailureonalllookups

•  IfOstopsservicebeforeallresolvershavemigratedover:–  Someresolversmayexperienceoutage

•  Hardtodiagnoseasthisdependsonthestateoflocalresolvers•  IfOdoesnotstopservicewhenaskedto

–  Somechild‐centrics:ckyresolversmayneverdiscovertheoperatorchange

•  NisnotreadywhenNSischanged:–  DNSresolu:onfailure

3/9/10 13DNSandDNSSECoperatorchanges

TTLeffects

•  Howfastoperatorscanbechanged:isdictatedbytheTTLontheDNScontrolplaneRRsets!

•  InmanycasesthePARENTselectedTTL’sdominatethewait:mes.– ManyTLD’shaveTTL’sonNSsetsthatareinday’s

3/9/10 14DNSandDNSSECoperatorchanges

DNSSECoperatorchange

•  Assump:on:– NewandOldDNSoperatorswillusedifferentkeystosigndatainthezone.

•  Goal:– WanttoavoidbothDNSresolu:onfailuresandDNSSECvalida:onerrors!!•  Followsameapproach•  DuringchangeresolversMUSTbeabletovalidatesignaturesbybothoperators.

•  ActuallythisisKeyRolloverandOperatorchangerolledintoone

3/9/10 15DNSandDNSSECoperatorchanges

DNSSECprecondi:ons

•  DSsetMUSTcontainauthoriza:onforbothoperatorsKSK’sduringthechange

•  BothDNSKEYRRset’sMUSTcontainZSK’sforbothoperatorsduringchange.

•  NewDNSKEYandDSsetsMUSTbegloballyvisible– beforeNSsetinparentischanged.

3/9/10 16DNSandDNSSECoperatorchanges

Script:BeforeDNSSECoperatorchange

•  HcontractswithNtooperatezone•  Ninstan:atesazone,– GeneratesnewKSKandZSK,

•  DNSKEYsetincludesZSKOisusing.–  ProvidesHwithnewNSandDSrecords

•  HasksOtoaddN’sZSKtoitscopyofzone•  HviaRaddsN’sDSrecordtotheonesforO•  HwaitsfornewDSandDNSKEYtobecomegloballyvisible.–  Max(O’sNSTTL,P’sNSTTL,DSTTL)

3/9/10 17DNSandDNSSECoperatorchanges

OperatorChangeandaUer

•  HviaRchangesNSsettopointtoN•  HasksOtochangeNSsettopointtoN– Op:onalstep

•  HwaitsforoldNS’stoexpiremaxTTLonNSsets

•  HasksOtostopservice.•  Hwaitsforlaggardresolverstodetectchange•  HviaRtoremovesDSrecordsforO•  HasksNtoremoveZSKrecordsforO

3/9/10 18DNSandDNSSECoperatorchanges

Howcanchangegowrong?

•  OrefusestoaddN’sZSK– signedOperatorChangenotpossible

•  thisbehaviorcomplicatesthings.

•  Oturnsoffservicebeforechangesinparenthavehad:metopropagate– DNSresolu:onfailures.

•  HcannotupdateDSrecords– OperatorChangenotpossible

3/9/10 19DNSandDNSSECoperatorchanges

Considera:ons

•  Hdoesnotwaitlongenoughforolddataforexpirefromthesystem– Someresolversmayexperiencefailures

•  ThisisH’schoice

•  OdoesnotchangeNStoreflectN– Mi:ga:ons:

•  OcanslavefromNandthenthingsworkgreat

•  OcanlowerTTLonNSandDNSKEYtoforceresolverstoforgetitsNSset.

3/9/10 20DNSandDNSSECoperatorchanges

Nowbacktotherealworld

•  ThepreviousslidesassumedHknewwhattodoandhadtheabilitytodoso.– HcangiveNtheauthoriza:ontoperformitstasks

•  WhenRegistrarisalsotheDNSOperator

– ChangetheDNSOperatorfirst

– ThenchangetheRegistrar•  ISSUE:HnotabletoinsertnewDSrecordsbeforechange.

3/9/10 21DNSandDNSSECoperatorchanges

RegistryDNSSECrequirements

•  Signzoneandprocessupdatesinnearreal‐:me.

•  AcceptDSrecordsviaEPP– AcceptmorethanoneDSrecordperdelega:on

•  Orgallows12•  RolloversworkbeserifDSispublishedbeforechange

– Op:onal:acceptDNSKEYrecordsandgenerateDSrecords

3/9/10 22DNSandDNSSECoperatorchanges

RequirementsforRegistrars:DNSSECSignedDomains

•  RegistrarsmustsupportDNSSECEPPextensions

•  InterfacesmustbeupdatedtoacceptDSrecords–  add+deleteopera:ons– Op:onal:acceptDNSKEYrecords

•  SeparateaccountforTechnicalContact– CanonlychangeNSandDSrecords

3/9/10 23DNSandDNSSECoperatorchanges

RequirementsforDNSoperators

•  MUSTacceptDNSKEYrecordfromdomainholder

•  ShouldchangeNSwhenasked•  MUSTturnoffservicewhenaskedbutnotbefore.

3/9/10 DNSandDNSSECoperatorchanges 24

DNSSECTransferTes:ngforORG

•  Asademonstra:onthatitispossibletochangeDNSoperatorsandRegistrarswehaveworkedwithorgandtworegistrars– NamesBeyond– DynDNS

•  Foreachregistrarthereareupto13testswhereitistheoriginalregistrar

•  Thereareupto4testswhereitisdes:na:onregistrar.

3/9/10 25DNSandDNSSECoperatorchanges

Tes:ngsheet

3/9/10 26DNSandDNSSECoperatorchanges

Tes:ngsheet(cont)

3/9/10 DNSandDNSSECoperatorchanges 27

Tes:ngResults

•  Registrarinterfacesneededfixing– Allminorissues

•  Mostoftes:ngperformedbyoutsiders(us)

•  TimetoperformtestsdominatedbyORG’sTTLof1day

•  Actualtestsinprogress.

3/9/10 28DNSandDNSSECoperatorchanges

DNSSECRegistrarConsidera:ons

•  RegistrarthatoperatesONLYasregistrarforadomain– NeedstoupdateUIandEPPwithparents

•  Add/deleteDS/DNSKEY

3/9/10 DNSandDNSSECoperatorchanges 29

BundledDNSSECRegistrarconsidera:ons

•  RegistrarthatoperatesDNSasvalueaddedservice

•  NeedstounderstandtheextrarequirementsthatbeingaDNSSECoperatormeans

•  MustacceptnewDNSKEYrecordsfromdomainholder

– Transferpolicies:?–  BlockTransfersun:laUerDNSopera:onhasbeentransferred.–  OperateDNSserviceforagraceperiodaUerTransfer–  Other

3/9/10 DNSandDNSSECoperatorchanges 30

RegistryPolicyQues:ons

•  WhencanaDNSSECdomainbetransferred?– BetweenDNSSECcapableregistrars?

•  HowmanyDSrecordareallowed?

•  WillregistrylowerTTL’sonupondemand?

•  Whatcer:fica:ontes:ngisrequiredforDNSSECregistrars?

•  DoesregistryacceptDSand/orDNSKEYrecords?

3/9/10 DNSandDNSSECoperatorchanges 31

Conclusions

•  “Allatonce”DNSSECTransferisimpossible•  With“DNSfirst,Registra:onsecond”Transferis:

3/9/10 DNSandDNSSECoperatorchanges 32