SlideShare une entreprise Scribd logo

Review of the KSK Roll and Impact Measurements

APNIC
APNIC

APNIC Chief Scientist Geoff Huston gives a review of the KSK Roll at RIPE 78 in Reykjavík, Iceland from 20 to 24 May 2019.

Internet
1  sur  46
Télécharger pour lire hors ligne
A Review of the KSK Roll Geoff Huston APNIC Labs
Why am I presenting this? • I ’m not part of ICANN or the PTI • APNIC is not a root server operator • I’m not a member of the root server cabal • I can’t see root server query data
Why am I presenting this? But … I’m one of almost 4 billion consumers of the DNS, and the stability, integrity and robustness of the DNS root matters for me So I’m an interested member of the community of DNS consumers
The Plan • The KSK is “special” • There is no “parent” key for the root • Every DNSSEC-validating resolver needs to load (and trust) the new KSK • The plan is to use “old-signs-new” approach • The old key signs over the new key for some minimum hold-down period • DNSSEC-validating resolvers are supposed to add the new key to their local trusted key collection once they have seen a stable sign-over for the hold- down period
The Plan - V1 11 October 2017
The best laid plans…
The Plan - V2 11 October 201827 September 2017 11 January 2019 KSK-2017 is published in the root zone across the pause
Goodbye KSK-2010
What Worked The KSK was rolled Internet-wide DNSSEC validation levels were not significantly impacted
What Did Not • The exercise was not exactly incident free • There were issues with: • Predicting the impact of the KSK roll • Measuring the impact of the KSK roll • Predicting the impact of KSK revocation
KSK Measurement Objective What number of users are at risk of being impacted by the KSK Roll?
KSK Measurement Objective What number of users are at risk of being impacted by the KSK Roll? We can’t do this measurement directly We can only measure the capabilities of the DNS infrastructure and estimate the impact
Signalling via Queries Client DNS Resolver Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS Resolver Queries The query contains added resolver information which passes inward in the DNS towards the authoritative server(s)
Measuring Resolvers with RFC 8145 Getting resolvers to report on their local trusted key state • A change to resolver behavior that requires deployment of new resolver code • Resolvers that support the RFC 8145 signal mechanism periodically include the key tag of their locally trusted keys into a query directed towards the root servers
What did we see at the roots? Duane Wessels VeriSign RFC 8145 Signaling Trust Anchor Knowledge In DNS Security Extensions Presentation to DNSSEC Workshop @ ICANN 60 – 1 Nov 2017 https://schd.ws/hosted_files/icann60abudhabi2017/ea/Duane%20Wessels-VeriSign-RFC%208145-Signaling%20Trust%20Anchor%20Knowledge%20in%20DNS%20Security%20Extensions.pdf root service operators
12 months of RFC8145 signalling http://root-trust-anchor-reports.research.icann.org Yes, with just a few days to go this mechanism was still reporting 5% ‘breakage’
20 months of RFC8145 signalling http://root-trust-anchor-reports.research.icann.org This mechanism is still reporting 1% ‘breakage’
What is this saying? It’s clear that there is some residual set of resolvers that are signalling that they have not yet learned to trust KSK-2017 But its not clear if: • This is an accurate signal about the state of this resolver • This is an accurate signal about the identity of this resolver • Whether the resolver attempts DNSSEC validation • How many users sit ‘behind’ this resolver • Whether these uses rely solely on this resolver, or if they also have alternate resolvers that they can use
Why? • Because the DNS does not disclose the antecedents of a query • If A forwards a query to B, who queries a Root Server then if the query contains an implicit signal (as in this case) then it appears that B is querying, not A • At no time is the user made visible in the referred query • Because caching • If A and B both forward their queries via C, then it may be that one or both of these queries may be answered from C’s cache • In this case the signal is being suppressed • Because its actually measuring a cause, not the outcome • Its measuring resolvers’ uptake of the new KSK, but is not able to measure the user impact of this
Signalling via Responses Client DNS Resolver Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS Resolver Responses The response contains added information or altered behaviours which passes backward in the DNS towards the original querier
User-Side Measurement Can we devise a DNS query that could reveal the state of the trusted keys of the resolvers back to the user? • What about a change to the resolver’s reporting of validation outcome depending on the resolver’s local trusted key state? • If a query contains the label “root-key-sentinel-is-ta-<key-tag>” then a validating resolver will report validation failure (SERVFAIL) if the key is NOT in the local trusted key store • If a query contains the label “root-key-sentinel-not-ta-<key-tag>” then a validating resolver will report validation failure (SERVFAIL) if the key IS in the local trusted key store
DNS + Web • How can you tell if a user is able to resolve a DNS name? • Be the user (get the user to run a script of some sort) • Look at the DNS server AND the Web server • The Web object is fetched only when the DNS provides a resolution answer • But the opposite is not necessarily the case, so there is a noise component in such an approach
Prior to the KSK Roll 16% of users use DNSSEC- validating resolvers 15% of users do not report their KSK trust-state 0.5% of users report KSK-2017 loaded 0.005% of users report KSK-2017 NOT loaded
Possibly Affected Users Between 0.1% to 0.2% of users are reporting that their resolvers have not loaded KSK-2017 as a trust anchor The measurement has many uncertainties and many sources of noise so this is an upper bound of the pool of users who may encounter DNS failure due to to the KSK roll
What happened SIDN Labs Atlas Measurement
What we saw % of folk that reported “good” % of folk that reported “bad” KSK roll period
What we heard
What happens when you lose track of the KSK?
Everything goes black
EIR - AS5466 DNSSEC Data KSK Roll Cache Expiry Daily Sample Count Validating Sample Count
Internet DNSSEC Data Is this part-related to the KSK Roll?
Looking for Affected Networks • Lets use the following filter: • More than 400 samples / day in the lead up to the KSK roll (using weighted sample count) • DNSSEC validation level more than 30% prior to the KSK roll • Drop of more than 33% in DNSSEC validation during the KSK roll
Rank AS CC Seen Validating As Name Before During After Before During After 1 AS2018 ZA 1,858 1,122 1,473 694 220 288 TENET, South Africa 2 AS10396 PR 1,789 1,673 1,988 1,647 276 33 COQUI-NET - DATACOM CARIBE, Puerto Rico 3 AS45773 PK 1,553 388 1,393 606 178 540 HECPERN-AS-PK PERN, Pakistan 4 AS15169 IN 1,271 438 1,286 1,209 438 1,242 GOOGLE - Google LLC, India 5 AS22616 US 1,264 503 1,526 883 377 1,014 ZSCALER- SJC, US 6 AS53813 IN 1,213 689 1,862 1,063 582 1,419 ZSCALER, India 7 AS1916 BR 1,062 94 991 326 37 277 Rede Nacional de Ensino e Pesquisa, Brazil 8 AS9658 PH 931 281 842 440 136 404 ETPI-IDS-AS-AP Eastern Telecoms, Philippines 9 AS37406 SS 888 486 972 582 365 599 RCS, South Sudan 10 AS263327 BR 882 345 438 776 289 359 ONLINE SERVICOS DE TELECOMUNICACOES, Brazil 11 AS17557 PK 835 430 777 431 277 413 Pakistan Telecommunication, Pakistan 12 AS36914 KE 834 476 937 583 354 670 KENET , Kenya 13 AS327687 UG 802 473 834 390 189 332 RENU, Uganda 14 AS680 DE 773 966 1,332 268 117 289 DFN Verein zur Foerderung, Germany 15 AS201767 UZ 761 538 729 461 200 371 UZMOBILE, Uzbekistan 16 AS37682 NG 695 401 728 593 274 568 TIZETI, Nigeria 17 AS7470 TH 674 214 507 219 94 182 True Internet, Thailand 18 AS51167 DE 670 378 479 214 78 156 CONTABO, Germany 19 AS15525 PT 600 260 593 287 125 284 MEO-EMPRESAS, Portugal 20 AS14061 GB 594 468 672 260 169 313 DigitalOcean, United Kingdom 21 AS37130 ZA 585 5 464 414 0 260 SITA, South Africa 22 AS30998 NG 583 264 484 192 54 143 NAL, Nigeria 23 AS135407 PK 569 227 457 419 207 344 TES-PL-AS-AP Trans World, Pakistan 24 AS16814 AR 565 235 456 258 120 208 NSS, Argentina 25 AS132335 IN 563 17 30 538 17 23 NETWORK-LEAPSWITCH-IN LeapSwitch Networks, India 26 AS5438 TN 559 532 579 526 171 27 ATI,Tunisia 27 AS5466 IE 547 240 401 419 184 329 EIRCOM Internet House, IE Ireland 28 AS18002 IN 538 467 614 277 176 242 WORLDPHONE-IN AS, India 29 AS37209 NG 532 109 438 269 45 194 HYPERIA, Nigeria 30 AS37100 ZA 454 161 401 168 95 131 SEACOM-AS, South Africa 31 AS5588 CZ 453 175 430 186 102 162 GTSCE GTS Central Europe, Czechia 32 AS1103 NL 446 38 363 189 7 132 SURFnet, The Netherlands 33 AS17563 PK 402 117 359 207 64 199 Nexlinx, Pakistan 34 AS327724 UG 401 120 538 208 103 266 NITA, Uganda 35 AS7590 PK 400 122 329 266 84 224 COMSATS, Pakistan
Rank AS CC Seen Validating As Name Before During After Before During After 1 AS2018 ZA 1,858 1,122 1,473 694 220 288 TENET, South Africa 2 AS10396 PR 1,789 1,673 1,988 1,647 276 33 COQUI-NET - DATACOM CARIBE, Puerto Rico 3 AS45773 PK 1,553 388 1,393 606 178 540 HECPERN-AS-PK PERN, Pakistan 4 AS15169 IN 1,271 438 1,286 1,209 438 1,242 GOOGLE - Google LLC, India 5 AS22616 US 1,264 503 1,526 883 377 1,014 ZSCALER- SJC, US 6 AS53813 IN 1,213 689 1,862 1,063 582 1,419 ZSCALER, India 7 AS1916 BR 1,062 94 991 326 37 277 Rede Nacional de Ensino e Pesquisa, Brazil 8 AS9658 PH 931 281 842 440 136 404 ETPI-IDS-AS-AP Eastern Telecoms, Philippines 9 AS37406 SS 888 486 972 582 365 599 RCS, South Sudan 10 AS263327 BR 882 345 438 776 289 359 ONLINE SERVICOS DE TELECOMUNICACOES, Brazil 11 AS17557 PK 835 430 777 431 277 413 Pakistan Telecommunication, Pakistan 12 AS36914 KE 834 476 937 583 354 670 KENET , Kenya 13 AS327687 UG 802 473 834 390 189 332 RENU, Uganda 14 AS680 DE 773 966 1,332 268 117 289 DFN Verein zur Foerderung, Germany 15 AS201767 UZ 761 538 729 461 200 371 UZMOBILE, Uzbekistan 16 AS37682 NG 695 401 728 593 274 568 TIZETI, Nigeria 17 AS7470 TH 674 214 507 219 94 182 True Internet, Thailand 18 AS51167 DE 670 378 479 214 78 156 CONTABO, Germany 19 AS15525 PT 600 260 593 287 125 284 MEO-EMPRESAS, Portugal 20 AS14061 GB 594 468 672 260 169 313 DigitalOcean, United Kingdom 21 AS37130 ZA 585 5 464 414 0 260 SITA, South Africa 22 AS30998 NG 583 264 484 192 54 143 NAL, Nigeria 23 AS135407 PK 569 227 457 419 207 344 TES-PL-AS-AP Trans World, Pakistan 24 AS16814 AR 565 235 456 258 120 208 NSS, Argentina 25 AS132335 IN 563 17 30 538 17 23 NETWORK-LEAPSWITCH-IN LeapSwitch Networks, India 26 AS5438 TN 559 532 579 526 171 27 ATI,Tunisia 27 AS5466 IE 547 240 401 419 184 329 EIRCOM Internet House, IE Ireland 28 AS18002 IN 538 467 614 277 176 242 WORLDPHONE-IN AS, India 29 AS37209 NG 532 109 438 269 45 194 HYPERIA, Nigeria 30 AS37100 ZA 454 161 401 168 95 131 SEACOM-AS, South Africa 31 AS5588 CZ 453 175 430 186 102 162 GTSCE GTS Central Europe, Czechia 32 AS1103 NL 446 38 363 189 7 132 SURFnet, The Netherlands 33 AS17563 PK 402 117 359 207 64 199 Nexlinx, Pakistan 34 AS327724 UG 401 120 538 208 103 266 NITA, Uganda 35 AS7590 PK 400 122 329 266 84 224 COMSATS, Pakistan These networks turned DNSSEC validation off!
Impact of the KSK Roll • The immediate impact appears to be some 0.2% - 0.3% of users • In 32 ISP cases service was restored with DNSSEC validation enabled • In 3 ISP cases DNSSEC validation was turned off
But that’s not the end of the story… • The next event was the revocation of KSK-2010 at 1400 UTC, 11 January 2019 • This was meant to be easy • It required no trust transition on the part of DNSSEC-validating resolvers • KSK-2010 was published as a signing KEY for DNSSEC with the ”revoke bit” set in the key flags • While the DNSKEY response was large (1,449 octets) other parts of the DNS generate larger responses for validating resolvers
And for clients the revocation was uneventful
But Root Servers reported a different story Duane Wessels, KSK Roller Post Analysis, DNS OARC, May 2019
Why? Query spin in old versions of a popularly deployed resolver
Lessons Learned • Yes, we can roll the KSK! • Yes, the extensive contact campaign helped BUT • The DNS is VERY opaque! • Instrumentation was extremely challenging
What Next?
Observations • The operation was an experiment • DNS trust state signalling (both forms) seems to add more noise rather than clarity • We could think about making the DNS more transparent • But there is a clear trade-off between greater transparency and exposing end user behaviours • So maybe we might not want to go there!
Observations • Is DNSSEC validation most appropriately a resolver function or an edge function? • Envisaged in DANE Chain Extensions in the TLS - requires edge devices to hold the current KSK value and perform DNSSEC validation • Is 5011 really the best way for edge devices to maintain their KSK copy? • Really? If we want to think about scaling DNSSEC validation to every host device what KSK management practices will scale?
One View • We should perform this operation often • Maybe we just need to keep rolling every year • That way we train the manual loaders to keep up! • We should now look at an Elliptical Curve algorithm roll • We should now look at standing a backup KSK provision
Another View • Why are we rolling the KSK? • Actual key compromise might not play out in the same staged manner as a planned key roll • If these planned key rolls are not a rehearsal for some unforeseen potential calamity then why are we deliberately adding instability into DNSSEC? • Is doing this again going to teach us anything new? • Is old-signs-new really the best way to do this? • How should we scale the KSK?
Thanks!

Recommandé

IETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollIETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
APNIC Member Gathering, China
APNIC Member Gathering, ChinaAPNIC Member Gathering, China
APNIC Member Gathering, ChinaAPNIC
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingRussell Heilling
 
Is IPv6 Really Faster?
Is IPv6 Really Faster?Is IPv6 Really Faster?
Is IPv6 Really Faster?APNIC
 

Recommandé

IETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollIETF 103: Measuring the KSK Roll
IETF 103: Measuring the KSK RollAPNIC
 
OARC 26: Who's asking
OARC 26: Who's askingOARC 26: Who's asking
OARC 26: Who's askingAPNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling RootsAPNIC
 
IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73IPv6 and the DNS, RIPE 73
IPv6 and the DNS, RIPE 73APNIC
 
Rolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyRolling the Root Zone DNSSEC Key Signing Key
Rolling the Root Zone DNSSEC Key Signing KeyAPNIC
 
APNIC Member Gathering, China
APNIC Member Gathering, ChinaAPNIC Member Gathering, China
APNIC Member Gathering, ChinaAPNIC
 
Linx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingLinx88 IPv6 Neighbor Discovery Russell Heilling
Linx88 IPv6 Neighbor Discovery Russell HeillingRussell Heilling
 
Is IPv6 Really Faster?
Is IPv6 Really Faster?Is IPv6 Really Faster?
Is IPv6 Really Faster?APNIC
 
DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71Siena Perry
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
Nathalie - Stavanger
Nathalie - StavangerNathalie - Stavanger
Nathalie - StavangerIPv6no
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...DataWorks Summit
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73APNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC updateAPNIC
 
NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKAPNIC
 

Contenu connexe

Tendances

DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71Siena Perry
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateAPNIC
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream csching
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing APNIC
 
Nathalie - Stavanger
Nathalie - StavangerNathalie - Stavanger
Nathalie - StavangerIPv6no
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingAPNIC
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNSAPNIC
 
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...DataWorks Summit
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!APNIC
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end userAPNIC
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIAPNIC
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...APNIC
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteAPNIC
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNICAPNIC
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73APNIC
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetAPNIC
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesAPNIC
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTAPNIC
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC updateAPNIC
 

Tendances (20)

DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71
 
VNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment UpdateVNIX-NOG 2021: IPv6 Deployment Update
VNIX-NOG 2021: IPv6 Deployment Update
 
Splunk app for stream
Splunk app for stream Splunk app for stream
Splunk app for stream
 
mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing mnNOG 1: Securing internet Routing
mnNOG 1: Securing internet Routing
 
Nathalie - Stavanger
Nathalie - StavangerNathalie - Stavanger
Nathalie - Stavanger
 
BSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet RoutingBSides: BGP Hijacking and Secure Internet Routing
BSides: BGP Hijacking and Secure Internet Routing
 
Zombie DNS
Zombie DNSZombie DNS
Zombie DNS
 
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
Interactive real time dashboards on data streams using Kafka, Druid, and Supe...
 
Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!Routing Security in 2017 – We can do better!
Routing Security in 2017 – We can do better!
 
Measuring the end user
Measuring the end userMeasuring the end user
Measuring the end user
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
 
PacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKIPacNOG 29: Routing security is more than RPKI
PacNOG 29: Routing security is more than RPKI
 
Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...Abitcool - A vast array of small-scale service providers with gigabit access,...
Abitcool - A vast array of small-scale service providers with gigabit access,...
 
IPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental WebsiteIPv6 Deployment Case on a Korean Governmental Website
IPv6 Deployment Case on a Korean Governmental Website
 
IPv6 deployment at APNIC
IPv6 deployment at APNICIPv6 deployment at APNIC
IPv6 deployment at APNIC
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse InternetBroadband India Forum Session on IPv6: The Post-IPocalypse Internet
Broadband India Forum Session on IPv6: The Post-IPocalypse Internet
 
PhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the PhilippinesPhNOG 2020: ROA and RPKI in the Philippines
PhNOG 2020: ROA and RPKI in the Philippines
 
PhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRTPhNOG 2020: Securing your resources with RPKI and IRT
PhNOG 2020: Securing your resources with RPKI and IRT
 
NZNOG 2020: APNIC update
NZNOG 2020: APNIC updateNZNOG 2020: APNIC update
NZNOG 2020: APNIC update
 

Similaire à Review of the KSK Roll and Impact Measurements

NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK RollAPNIC
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
End User DNS Measurement at APNIC
End User DNS Measurement at APNICEnd User DNS Measurement at APNIC
End User DNS Measurement at APNICAPNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS EvolutionAPNIC
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK RolloverAPNIC
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSKAPNIC
 
The Resolvers We Use
The Resolvers We UseThe Resolvers We Use
The Resolvers We UseAPNIC
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
 
Study of QoS on DNS services provided in Benin at AIS'18
Study of QoS on DNS services provided in Benin at AIS'18Study of QoS on DNS services provided in Benin at AIS'18
Study of QoS on DNS services provided in Benin at AIS'18Yazid AKANHO
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?APNIC
 
Business Ready Teleworker Design Guide
Business Ready Teleworker Design GuideBusiness Ready Teleworker Design Guide
Business Ready Teleworker Design GuideJoel W. King
 
Become the Master of Your DNS
Become the Master of Your DNSBecome the Master of Your DNS
Become the Master of Your DNSThousandEyes
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
ThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes EMEA - Become the Master of Your DNSThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes EMEA - Become the Master of Your DNSThousandEyes
 

Similaire à Review of the KSK Roll and Impact Measurements (20)

NANOG 74: That KSK Roll
NANOG 74: That KSK RollNANOG 74: That KSK Roll
NANOG 74: That KSK Roll
 
The New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSKThe New Root Zone DNSSEC KSK
The New Root Zone DNSSEC KSK
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
End User DNS Measurement at APNIC
End User DNS Measurement at APNICEnd User DNS Measurement at APNIC
End User DNS Measurement at APNIC
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover2017 DNSSEC KSK Rollover
2017 DNSSEC KSK Rollover
 
DNSSEC at Penn
DNSSEC at PennDNSSEC at Penn
DNSSEC at Penn
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Rolling the Root KSK
Rolling the Root KSKRolling the Root KSK
Rolling the Root KSK
 
The Resolvers We Use
The Resolvers We UseThe Resolvers We Use
The Resolvers We Use
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
Study of QoS on DNS services provided in Benin at AIS'18
Study of QoS on DNS services provided in Benin at AIS'18Study of QoS on DNS services provided in Benin at AIS'18
Study of QoS on DNS services provided in Benin at AIS'18
 
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?Citrix NetScaler SD-WAN - What’s New, What’s Hot?
Citrix NetScaler SD-WAN - What’s New, What’s Hot?
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
Business Ready Teleworker Design Guide
Business Ready Teleworker Design GuideBusiness Ready Teleworker Design Guide
Business Ready Teleworker Design Guide
 
Become the Master of Your DNS
Become the Master of Your DNSBecome the Master of Your DNS
Become the Master of Your DNS
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
ThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes EMEA - Become the Master of Your DNSThousandEyes EMEA - Become the Master of Your DNS
ThousandEyes EMEA - Become the Master of Your DNS
 

Plus de APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

Plus de APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Dernier

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 

Dernier (20)

Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 

Review of the KSK Roll and Impact Measurements

  • 1. A Review of the KSK Roll Geoff Huston APNIC Labs
  • 2. Why am I presenting this? • I ’m not part of ICANN or the PTI • APNIC is not a root server operator • I’m not a member of the root server cabal • I can’t see root server query data
  • 3. Why am I presenting this? But … I’m one of almost 4 billion consumers of the DNS, and the stability, integrity and robustness of the DNS root matters for me So I’m an interested member of the community of DNS consumers
  • 4. The Plan • The KSK is “special” • There is no “parent” key for the root • Every DNSSEC-validating resolver needs to load (and trust) the new KSK • The plan is to use “old-signs-new” approach • The old key signs over the new key for some minimum hold-down period • DNSSEC-validating resolvers are supposed to add the new key to their local trusted key collection once they have seen a stable sign-over for the hold- down period
  • 5. The Plan - V1 11 October 2017
  • 6. The best laid plans…
  • 7. The Plan - V2 11 October 201827 September 2017 11 January 2019 KSK-2017 is published in the root zone across the pause
  • 9. What Worked The KSK was rolled Internet-wide DNSSEC validation levels were not significantly impacted
  • 10. What Did Not • The exercise was not exactly incident free • There were issues with: • Predicting the impact of the KSK roll • Measuring the impact of the KSK roll • Predicting the impact of KSK revocation
  • 11. KSK Measurement Objective What number of users are at risk of being impacted by the KSK Roll?
  • 12. KSK Measurement Objective What number of users are at risk of being impacted by the KSK Roll? We can’t do this measurement directly We can only measure the capabilities of the DNS infrastructure and estimate the impact
  • 13. Signalling via Queries Client DNS Resolver Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS Resolver Queries The query contains added resolver information which passes inward in the DNS towards the authoritative server(s)
  • 14. Measuring Resolvers with RFC 8145 Getting resolvers to report on their local trusted key state • A change to resolver behavior that requires deployment of new resolver code • Resolvers that support the RFC 8145 signal mechanism periodically include the key tag of their locally trusted keys into a query directed towards the root servers
  • 15. What did we see at the roots? Duane Wessels VeriSign RFC 8145 Signaling Trust Anchor Knowledge In DNS Security Extensions Presentation to DNSSEC Workshop @ ICANN 60 – 1 Nov 2017 https://schd.ws/hosted_files/icann60abudhabi2017/ea/Duane%20Wessels-VeriSign-RFC%208145-Signaling%20Trust%20Anchor%20Knowledge%20in%20DNS%20Security%20Extensions.pdf root service operators
  • 16. 12 months of RFC8145 signalling http://root-trust-anchor-reports.research.icann.org Yes, with just a few days to go this mechanism was still reporting 5% ‘breakage’
  • 17. 20 months of RFC8145 signalling http://root-trust-anchor-reports.research.icann.org This mechanism is still reporting 1% ‘breakage’
  • 18. What is this saying? It’s clear that there is some residual set of resolvers that are signalling that they have not yet learned to trust KSK-2017 But its not clear if: • This is an accurate signal about the state of this resolver • This is an accurate signal about the identity of this resolver • Whether the resolver attempts DNSSEC validation • How many users sit ‘behind’ this resolver • Whether these uses rely solely on this resolver, or if they also have alternate resolvers that they can use
  • 19. Why? • Because the DNS does not disclose the antecedents of a query • If A forwards a query to B, who queries a Root Server then if the query contains an implicit signal (as in this case) then it appears that B is querying, not A • At no time is the user made visible in the referred query • Because caching • If A and B both forward their queries via C, then it may be that one or both of these queries may be answered from C’s cache • In this case the signal is being suppressed • Because its actually measuring a cause, not the outcome • Its measuring resolvers’ uptake of the new KSK, but is not able to measure the user impact of this
  • 20. Signalling via Responses Client DNS Resolver Server DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS Resolver DNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS ResolverDNS Resolver Responses The response contains added information or altered behaviours which passes backward in the DNS towards the original querier
  • 21. User-Side Measurement Can we devise a DNS query that could reveal the state of the trusted keys of the resolvers back to the user? • What about a change to the resolver’s reporting of validation outcome depending on the resolver’s local trusted key state? • If a query contains the label “root-key-sentinel-is-ta-<key-tag>” then a validating resolver will report validation failure (SERVFAIL) if the key is NOT in the local trusted key store • If a query contains the label “root-key-sentinel-not-ta-<key-tag>” then a validating resolver will report validation failure (SERVFAIL) if the key IS in the local trusted key store
  • 22. DNS + Web • How can you tell if a user is able to resolve a DNS name? • Be the user (get the user to run a script of some sort) • Look at the DNS server AND the Web server • The Web object is fetched only when the DNS provides a resolution answer • But the opposite is not necessarily the case, so there is a noise component in such an approach
  • 23. Prior to the KSK Roll 16% of users use DNSSEC- validating resolvers 15% of users do not report their KSK trust-state 0.5% of users report KSK-2017 loaded 0.005% of users report KSK-2017 NOT loaded
  • 24. Possibly Affected Users Between 0.1% to 0.2% of users are reporting that their resolvers have not loaded KSK-2017 as a trust anchor The measurement has many uncertainties and many sources of noise so this is an upper bound of the pool of users who may encounter DNS failure due to to the KSK roll
  • 25. What happened SIDN Labs Atlas Measurement
  • 26. What we saw % of folk that reported “good” % of folk that reported “bad” KSK roll period
  • 28. What happens when you lose track of the KSK?
  • 30. EIR - AS5466 DNSSEC Data KSK Roll Cache Expiry Daily Sample Count Validating Sample Count
  • 31. Internet DNSSEC Data Is this part-related to the KSK Roll?
  • 32. Looking for Affected Networks • Lets use the following filter: • More than 400 samples / day in the lead up to the KSK roll (using weighted sample count) • DNSSEC validation level more than 30% prior to the KSK roll • Drop of more than 33% in DNSSEC validation during the KSK roll
  • 33. Rank AS CC Seen Validating As Name Before During After Before During After 1 AS2018 ZA 1,858 1,122 1,473 694 220 288 TENET, South Africa 2 AS10396 PR 1,789 1,673 1,988 1,647 276 33 COQUI-NET - DATACOM CARIBE, Puerto Rico 3 AS45773 PK 1,553 388 1,393 606 178 540 HECPERN-AS-PK PERN, Pakistan 4 AS15169 IN 1,271 438 1,286 1,209 438 1,242 GOOGLE - Google LLC, India 5 AS22616 US 1,264 503 1,526 883 377 1,014 ZSCALER- SJC, US 6 AS53813 IN 1,213 689 1,862 1,063 582 1,419 ZSCALER, India 7 AS1916 BR 1,062 94 991 326 37 277 Rede Nacional de Ensino e Pesquisa, Brazil 8 AS9658 PH 931 281 842 440 136 404 ETPI-IDS-AS-AP Eastern Telecoms, Philippines 9 AS37406 SS 888 486 972 582 365 599 RCS, South Sudan 10 AS263327 BR 882 345 438 776 289 359 ONLINE SERVICOS DE TELECOMUNICACOES, Brazil 11 AS17557 PK 835 430 777 431 277 413 Pakistan Telecommunication, Pakistan 12 AS36914 KE 834 476 937 583 354 670 KENET , Kenya 13 AS327687 UG 802 473 834 390 189 332 RENU, Uganda 14 AS680 DE 773 966 1,332 268 117 289 DFN Verein zur Foerderung, Germany 15 AS201767 UZ 761 538 729 461 200 371 UZMOBILE, Uzbekistan 16 AS37682 NG 695 401 728 593 274 568 TIZETI, Nigeria 17 AS7470 TH 674 214 507 219 94 182 True Internet, Thailand 18 AS51167 DE 670 378 479 214 78 156 CONTABO, Germany 19 AS15525 PT 600 260 593 287 125 284 MEO-EMPRESAS, Portugal 20 AS14061 GB 594 468 672 260 169 313 DigitalOcean, United Kingdom 21 AS37130 ZA 585 5 464 414 0 260 SITA, South Africa 22 AS30998 NG 583 264 484 192 54 143 NAL, Nigeria 23 AS135407 PK 569 227 457 419 207 344 TES-PL-AS-AP Trans World, Pakistan 24 AS16814 AR 565 235 456 258 120 208 NSS, Argentina 25 AS132335 IN 563 17 30 538 17 23 NETWORK-LEAPSWITCH-IN LeapSwitch Networks, India 26 AS5438 TN 559 532 579 526 171 27 ATI,Tunisia 27 AS5466 IE 547 240 401 419 184 329 EIRCOM Internet House, IE Ireland 28 AS18002 IN 538 467 614 277 176 242 WORLDPHONE-IN AS, India 29 AS37209 NG 532 109 438 269 45 194 HYPERIA, Nigeria 30 AS37100 ZA 454 161 401 168 95 131 SEACOM-AS, South Africa 31 AS5588 CZ 453 175 430 186 102 162 GTSCE GTS Central Europe, Czechia 32 AS1103 NL 446 38 363 189 7 132 SURFnet, The Netherlands 33 AS17563 PK 402 117 359 207 64 199 Nexlinx, Pakistan 34 AS327724 UG 401 120 538 208 103 266 NITA, Uganda 35 AS7590 PK 400 122 329 266 84 224 COMSATS, Pakistan
  • 34. Rank AS CC Seen Validating As Name Before During After Before During After 1 AS2018 ZA 1,858 1,122 1,473 694 220 288 TENET, South Africa 2 AS10396 PR 1,789 1,673 1,988 1,647 276 33 COQUI-NET - DATACOM CARIBE, Puerto Rico 3 AS45773 PK 1,553 388 1,393 606 178 540 HECPERN-AS-PK PERN, Pakistan 4 AS15169 IN 1,271 438 1,286 1,209 438 1,242 GOOGLE - Google LLC, India 5 AS22616 US 1,264 503 1,526 883 377 1,014 ZSCALER- SJC, US 6 AS53813 IN 1,213 689 1,862 1,063 582 1,419 ZSCALER, India 7 AS1916 BR 1,062 94 991 326 37 277 Rede Nacional de Ensino e Pesquisa, Brazil 8 AS9658 PH 931 281 842 440 136 404 ETPI-IDS-AS-AP Eastern Telecoms, Philippines 9 AS37406 SS 888 486 972 582 365 599 RCS, South Sudan 10 AS263327 BR 882 345 438 776 289 359 ONLINE SERVICOS DE TELECOMUNICACOES, Brazil 11 AS17557 PK 835 430 777 431 277 413 Pakistan Telecommunication, Pakistan 12 AS36914 KE 834 476 937 583 354 670 KENET , Kenya 13 AS327687 UG 802 473 834 390 189 332 RENU, Uganda 14 AS680 DE 773 966 1,332 268 117 289 DFN Verein zur Foerderung, Germany 15 AS201767 UZ 761 538 729 461 200 371 UZMOBILE, Uzbekistan 16 AS37682 NG 695 401 728 593 274 568 TIZETI, Nigeria 17 AS7470 TH 674 214 507 219 94 182 True Internet, Thailand 18 AS51167 DE 670 378 479 214 78 156 CONTABO, Germany 19 AS15525 PT 600 260 593 287 125 284 MEO-EMPRESAS, Portugal 20 AS14061 GB 594 468 672 260 169 313 DigitalOcean, United Kingdom 21 AS37130 ZA 585 5 464 414 0 260 SITA, South Africa 22 AS30998 NG 583 264 484 192 54 143 NAL, Nigeria 23 AS135407 PK 569 227 457 419 207 344 TES-PL-AS-AP Trans World, Pakistan 24 AS16814 AR 565 235 456 258 120 208 NSS, Argentina 25 AS132335 IN 563 17 30 538 17 23 NETWORK-LEAPSWITCH-IN LeapSwitch Networks, India 26 AS5438 TN 559 532 579 526 171 27 ATI,Tunisia 27 AS5466 IE 547 240 401 419 184 329 EIRCOM Internet House, IE Ireland 28 AS18002 IN 538 467 614 277 176 242 WORLDPHONE-IN AS, India 29 AS37209 NG 532 109 438 269 45 194 HYPERIA, Nigeria 30 AS37100 ZA 454 161 401 168 95 131 SEACOM-AS, South Africa 31 AS5588 CZ 453 175 430 186 102 162 GTSCE GTS Central Europe, Czechia 32 AS1103 NL 446 38 363 189 7 132 SURFnet, The Netherlands 33 AS17563 PK 402 117 359 207 64 199 Nexlinx, Pakistan 34 AS327724 UG 401 120 538 208 103 266 NITA, Uganda 35 AS7590 PK 400 122 329 266 84 224 COMSATS, Pakistan These networks turned DNSSEC validation off!
  • 35. Impact of the KSK Roll • The immediate impact appears to be some 0.2% - 0.3% of users • In 32 ISP cases service was restored with DNSSEC validation enabled • In 3 ISP cases DNSSEC validation was turned off
  • 36. But that’s not the end of the story… • The next event was the revocation of KSK-2010 at 1400 UTC, 11 January 2019 • This was meant to be easy • It required no trust transition on the part of DNSSEC-validating resolvers • KSK-2010 was published as a signing KEY for DNSSEC with the ”revoke bit” set in the key flags • While the DNSKEY response was large (1,449 octets) other parts of the DNS generate larger responses for validating resolvers
  • 37. And for clients the revocation was uneventful
  • 38. But Root Servers reported a different story Duane Wessels, KSK Roller Post Analysis, DNS OARC, May 2019
  • 39. Why? Query spin in old versions of a popularly deployed resolver
  • 40. Lessons Learned • Yes, we can roll the KSK! • Yes, the extensive contact campaign helped BUT • The DNS is VERY opaque! • Instrumentation was extremely challenging
  • 42. Observations • The operation was an experiment • DNS trust state signalling (both forms) seems to add more noise rather than clarity • We could think about making the DNS more transparent • But there is a clear trade-off between greater transparency and exposing end user behaviours • So maybe we might not want to go there!
  • 43. Observations • Is DNSSEC validation most appropriately a resolver function or an edge function? • Envisaged in DANE Chain Extensions in the TLS - requires edge devices to hold the current KSK value and perform DNSSEC validation • Is 5011 really the best way for edge devices to maintain their KSK copy? • Really? If we want to think about scaling DNSSEC validation to every host device what KSK management practices will scale?
  • 44. One View • We should perform this operation often • Maybe we just need to keep rolling every year • That way we train the manual loaders to keep up! • We should now look at an Elliptical Curve algorithm roll • We should now look at standing a backup KSK provision
  • 45. Another View • Why are we rolling the KSK? • Actual key compromise might not play out in the same staged manner as a planned key roll • If these planned key rolls are not a rehearsal for some unforeseen potential calamity then why are we deliberately adding instability into DNSSEC? • Is doing this again going to teach us anything new? • Is old-signs-new really the best way to do this? • How should we scale the KSK?