February 4, 2012

Topics

Search Site

Follow

  RSS CricketonDNS   RSS Infra20   Network Automation

Favorite Links

Tag Cloud

Archives

A Signed Root and What It Means to You

October 12 2009 by Cricket Liu (Infoblox)

Last week, VeriSign and ICANN presented some fairly detailed information about signing the root zone using DNSSEC, the DNS Security Extensions.  The Department of Commerce had previously announced that VeriSign and ICANN would jointly administer the signed root, but until yesterday it wasn't clear (to me, anyway) how their responsibilities would be divided.  At RIPE 59 in Lisbon, Joe Abley of ICANN and Matt Larson of VeriSign (yes, my former business partner and the other half of "The Ask Mr. DNS Podcast") talked about the division of labor.

Basically, as I understand it, ICANN will be responsible for managing the Key-Signing Key and VeriSign for the Zone-Signing Key.  Recall that in most DNSSEC-signed zones, there are two key pairs.  One key pair is used for signing the zone data, while the other is used to sign just the zone's keys.  There are several advantages to this arrangement:  The parent zone validates the Key-Signing Key, or KSK, which in turn validates the Zone-Signing Key, or ZSK.  Thus when the ZSK must be rolled over - which happens more frequently than the KSK, because more data is encrypted using the ZSK - the parent zone need not be informed; the administrator can simply re-sign the new ZSK using the existing KSK.  Also, the ZSK can be shorter than the KSK.  This means that most of the signatures in a zone are shorter (because they're signed with the ZSK) and therefore don't result in such large responses and don't take as many computational resources to validate, but the entry point to the zone, the KSK, is still difficult to attack cryptographically.

ICANN will also be responsible for accepting keys for subzones of the root (i.e., top-level zones), verifying those and requesting that VeriSign sign them using the ZSK.

Even more important to many of us was the timeline for signing the root zone:  The zone will be signed by December 1 of this year, although that version of the zone will initially remain internal to ICANN and VeriSign.  However, as early as January of 2010, the incremental rollout of the signed zone will begin, and by July 1 the signed root zone will be fully deployed.

Why does this matter to you?  If you're deploying DNSSEC, the existence of a signed root zone makes your job much easier.  Without a signed root, you'd need to configure your recursive name servers with the public keys of all top-level zones that you'd like to validate.  There are already nine top-level zones that have been signed and more on the way, so configuring those public keys and keeping them up-to-date is no trivial task.  With a signed root, all you need in order to validate signed data from any of those top-level zones is the public key (the public half of the KSK) of the root zone configured on your name server.  Easy!

Posted in DNSSEC | DNS Security | 6 comments

6 responses to “A Signed Root and What It Means to You”

  1. Jim Fleming Says:
    Oct 12, 2009 at 3:24 PM
    1. Experienced ISPs and network operators have not used "root servers" for years. Also, many
    DNS queries never touch the
    ICANN DNS platform. DNSMASQ is
    used in $50 CPE devices and many
    public networks use services
    such as OpenDNS.com.

    2. All of the "secure the DNS" hype seems to mostly be aimed at diverting attention from
    newer technology. The legacy
    1980s DNS is not worth extending. Why lock the world
    into small regulators like ICANN? The Internet Architecture
    was supposed to be free of any
    single point of control.

    3. New DNS technology for usage with the dual-firewall C@T+N@T Inter.NODE architecture will provide more variety driven by user's choices. Some compare the
    current network evolution to
    moving people from pipes with
    tap water, to wine to vodka.
    Efforts to provide distilled
    "pure" water instead of tap water seem short-sighted.
  2. Richard Sexton Says:
    Oct 13, 2009 at 6:37 AM
    Given the problems associated with the legacy root zone, the existence of nearly 20, what ICANN now calls "private" root zones, many of which they recognize because of their non-latin tlds, using the legacy root is the moral equivalent of using glass crts to connect to a Sun I to do email only while the rest of the world uses laptops and phones to surf the web.

    I notice they still haven't found the ticking time bomb in DNSSEC yet. Kewwwwwwwwl. Good luck with that.
  3. Cricket Liu Says:
    Oct 13, 2009 at 7:49 AM
    Interesting. Are you suggesting it's immoral to use a CRT? Or generally immoral to use outdated technology?
  4. Alan V. Shackelford Says:
    Nov 6, 2009 at 10:33 AM
    I would be happy to experiment with and learn to use a replacement for the legacy 1980's DNS, but for now I am excited about DNSSEC and am vigorously preparing for the .edu signing in March. For the foreseeable future it seems like the only feasible solution to a serious issue. Also, I admit to having just the slightest apprehension about a future weakness in DNSSEC. But to sit and do nothing, waiting for a whole new protocol just ain't happening.
  5. MarvaNunez Says:
    Jun 9, 2010 at 12:03 AM
    When you're in uncomfortable position and have no money to get out from that point, you would need to take the <a href="http://lowest-rate-loans.com/topics/mortgage-loans">www.lowest-rate-loans.com</a>;. Just because it should help you for sure. I take consolidation loans every time I need and feel myself fine because of it.
  6. business loans Says:
    Oct 17, 2011 at 4:53 PM
    That is cool that people are able to receive the loan moreover, that opens new chances.

Leave a Reply









Sponsored by: Infoblox | Cricket on DNS | Terms and Conditions | Contact