Internet Corporation forAssigned Names & Numbers
Interim Trust Anchor Repository and UpdateAmsterdam, NetherlandsMay 2009
Interim Trust Anchor Repository
‣ A mechanism to publish keys of top-level domains thatcurrently implement DNSSEC
‣ If the root zone is DNSSEC signed, such a repository isunnecessary
‣ Therefore this is a stopgap measure
‣ Current plan is to decommission when the root is signed
Benefits
‣ Fully meets a set of recommendations provided byRIPE
‣ Simple to use for both top-level domain operators, andend users.
‣ Works with different DNS software, different protocols,etc. Non proprietary.
‣ Almost fully automated
‣ Helps DNSSEC deployment
itar.iana.org
Experiences
‣ TLD managers are frequently approving trust anchorsthat are wrong.‣ They don’t get listed because we check for matching
DNSKEY records‣ Except one, our bug: we didn’t compare algorithm type of DS
versus algorithm type of DNSKEY‣ Suggests no-one is actually checking the digests before
“approving” during the review phase‣ Were running ITAR privately for a couple of months -
asking TLDs to test and upload their anchors.‣ No real activity until it was publicly announced.
Requests from the community
‣ Ability to suppress NSEC3 records (done)
‣ Prohibit SHA1 digests
‣ Change to accepting DNSKEY records, not DS records
ICANN DNSSEC Update‣ We have been asked by the community - uk, .nz, .nl, .cz,
…, APNIC, ccNSO, RIPE and industry Google, Comcast,Intel, Paypal… - to sign the root.
‣ “Revelations” from the outside regarding DNSSEC
‣ I hear you can do cool things with DNSSEC
‣ Alternate/free source of trust for‣ spam filtering (DKIM)‣ free https:// certificates (SSL),‣ secure networking and authentication (IPSEC, SSHFP),‣ and …. who knows?‣ ….but you tell me
Why deploy DNSSEC?
‣ need to make DNSSEC deployable today
‣ "DNSSEC is the key to fixing the persistent authenticationproblems plaguing real-world, cross-organizationalbusiness for years,”
http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=214501924&cid=RSSfeed
Behind ourtestbed
SIGNER
SIGNER
HSMKSK
HSMZSK
NSNS
TEST A
TESTM
ADMIN
RZM
ROOTDB
CLASS 5GSA NSASAFE
DUPLICATETO 2-3
INSTANCES
I-TAR
TLDOPERATO
RS
ns.iana.org
pch-test.iana.orgAnycast
SIGNER, NS:DELL 1950 /w2xPS, 2XSAS,2xCPU
HSM: AEPKEYPER FIPS140-2 Level 4(Disposable)
208.77.188.32
System status at:https://ns.iana.org/dnssec/status.html .arpa, in-addr.arpa, ip6.arpa, iris.arpa, urn.arpa, uri.arpa, .int,xn-”test” (DS: .se, .br, .bg, .pr, .cz, .th .museum,.gov.)
24 hr mannedmultiplebiometriccontrolledfacility, NSANSTISSP #10,GSA Class 5Container(approved forTop Secret)
10.0.1.X
10.0.2.X
204.61.216.37
TLDDATA
VETTING
PROCESS
199.7.81.10 199.7.81.15
F/W 2-factor auth forRZM
BOS
AMS
MIA
LAX
WATCHDOGSITES
TSIG
TLD OPERATORS
AND/OR
GOVERNMENTS
EXISTINGTRUSTRELATIONSHIPS
149.20.64.22 publicrecursive resolver
iana-testbed.odvr.dns-oarc.net
208.78.70.92,204.13.250.92,208.78.71.92,204.13.251.92Iana*.dyntld.net
Anycast
Go Ahead – Test It!‣ Public caching recursive validating DNSSEC name server at
149.20.64.22 (SFO). Thank you OARC / Duane!…and66.165.162.24 (MIA)
‣ See https://ns.iana.org/dnssec/status.html
‣ Masters:‣ 208.77.188.32 (ns.iana.org)
‣ anycast 204.61.216.37 (pch-test.iana.org) in Cairo, Nairobi,Johannesburg, Perth, Sydney, Dhaka, Jakarta, Hong Kong,Tokyo, Kuala Lumpur, Kathmandu, Auckland, Manila, Singapore,Paris, Frankfurt, Munich, Beirut, Amsterdam, Stockholm, London,Buenos Aries, Sao Paulo, Toronto, Puerto Rico, Boston, Seattle,Miami, etc... alongside some root servers. Thank you PCH.net!
‣ anycast 208.78.70.92, 204.13.250.92, 208.78.71.92,204.13.251.92 in Ashburn, VA; Chicago, IL; Palo Alto, CA; London, UK;Amsterdam, NL; Frankfurt, DE; Hong Kong, HK...alongside TLDservers. Thank you dyntld.com!
Opportunity
‣ If deployed DNSSEC:‣ Will be a critical tool in combating the global
nature of cyber crime allowing cross-organizational and trans-national authentication
‣ Can be an integral part of any cyber securityarsenal
‣ As a global security federation will be a platformfor cyber security innovation and internationalcooperation
Upcoming Event‣ Symposium on Deploying a Signed Root: Issues and Proposed
Solutions DNSSEC Coalition, June 11-12 DC‣ Key Distribution‣ Key Rollover‣ Trust and Transparency‣ Impact on ISPs and Resolvers‣ Contingency Plans
Thanks!