KSK Sentinel
DNSOP, .GB - 2018-03 v0.3
draft-ietf-dnsop-kskroll-sentinel
Geoff Huston
Joao Silva Damas
Warren Kumari
Major changes
Major changes
- Conversational description of how this works.
- This is for the active root TA.
- Many many readability fixes (thanks all!)
- Make examples FQDN.
- Some privacy clarifications.
- SERVFAIL vs NXDOMAIN...
Major changes
- _is-ta-<key-tag>
- kskroll-sentinel-is-ta-<hex key-tag>
- kskroll-sentinel-is-ta-<dec key-tag>
Names!
Demo
Demo: http://www.ksk-test.net:
Questions?
Backup Slides
What's the problem?
- We
needwant to roll the DNSSEC trust-anchor (KSK) - Have no way to measure the impact.
RFC8145!
Solved!
Nope.
Pretty graphs!
Prettier graphs!
?
Sentinel
- Requires a (simple) resolver update
- Allows anyone to set up a measurement service
- Exposes the result to the users
The change
Just before sending the response (after resolution, validation):
-
kskroll-sentinel-is-ta-[key].something?
- If have the key, reply normally, else SERVFAIL
-
kskroll-sentinel-not-ta-[key].something?
- If do NOT have the key, reply normally, else SERVFAIL
Example
- I'm a validating resolver. I support sentinel.
- I have the new KSK (20326)
- I get a query for invalid.example.com
- It fails DNSSEC validation - SERVFAIL
- I get a query for
kskroll-sentinel-is-ta-20326.example.com
-
- I resolve it and get 192.0.2.23
- I have (and am using) KeyID 20326
- answer with 192.0.2.23
- I get a query for
kskroll-sentinel-not-ta-20326.example.com
- I do have (and am using) KeyID 20326
- send SERVFAIL
- I do have (and am using) KeyID 20326
Yawn. So what?!
- Fish? Not validating, key-roll doesn't affect you.
- Kitten and Puppy? Legacy, we cannot tell.
- Kitten? You have the new key, you'll be fine.
- Puppy? DANGER! You only have the old key.
Do you see:
Srsly? Kittens?!
Sadly, no...
...but kittens!!!
Sorry, still no... :-(
Demo: http://www.ksk-test.net:
Questions?
Sentinel - DNSOP - London
By wkumari
Sentinel - DNSOP - London
KSK Sentinel
- 291