Topic:DNSSECOpsProblem:SEPprovisioning

EdwardLewisRIPE59

Oct8,2009 1ed.lewis@neustar.biz

Abstract

•  AnSEPisaDNSSECpublickeythatanadministratorgeneratesaspartofthesigningprocess

•  AnSEPisaDNSSECpublickeythatananadministratorreceivesasinput,leadingtoDSrecordsatadelegaOon

•  ThereisnostandardwaytotransfertheSEPdespitemanyadmin‐adminenvironments

Oct8,2009 ed.lewis@neustar.biz 2

Whydoweneedastandard

•  Today'sad‐hocsituaOonisn'tworking•  Theabsenceofastandardmeanstheexchangesareinformal–  Informaldoesnotscale– Newplayersdon'tknowwheretostart– Disenfranchiseddemographicstaysthatway

•  Integrateasmanyplayersaspossible,safely

Oct8,2009 ed.lewis@neustar.biz 3

AdilemmaIlivewith

•  AgTLD/ccTLDregistryisexpecOngtorelyonaEPPserverasitsprovisioningingresspoint

•  ADNSmanagedservice,notaregistrar,doesnotoperateaEPPclient

•  Howdotheytalktoeachother?– EvenwithinthesameorganizaOon?

Oct8,2009 ed.lewis@neustar.biz 4

SecureEntryPoint(SEP)

•  ASecureEntryPointisakey(KSK)thatisintendedto– ProduceaDSrecordattheparent– BeconfiguredinaTrustAnchorlist– BeredistributedbyaTrustAnchorRepository

Oct8,2009 ed.lewis@neustar.biz 5

TrustAnchorRepository

•  TARisa"securitysurrogate"– ToaDNSadministrator,itactsliketheparentwithrespecttotheSEPsubmission

– ToaDNScacheoperator,itisaregistryofsecuritymetadata(SEPs)withdomainnames

•  ATARisyetanotherformofaregistry– FocusdiffersfromaDomainNameRegistryorRIR

Oct8,2009 ed.lewis@neustar.biz 6

SEPLifecycle

•  IfanSEPwaspermanentwehavenoproblem,butcircumstancesmayrequireitbechanged

•  AnSEP's"lifecycle"mayincludethesestages– generaOon– preview(whichmightincludeemergency)

– acOve–  revoked(alaRFC5011)–  removed

Oct8,2009 ed.lewis@neustar.biz 7

SwappinganSEP

•  Oneapproach– StartwithexisOngSEP,signed– AddnewSEPtoset,signed– RequestaswapofDSrecordsatparentorTAR– Confirmchange,revoke(RFC5011)theold

– RemovetheoldSEP

Oct8,2009 ed.lewis@neustar.biz 8

Addendum

•  TheremaybemorethanoneSEPforazone– Forexample,onepercrypto‐algorithm

– ForanyoperaOonalreason•  TheSEPchangeprocesspresentedhereisjustonemodel– Thisisn'tanefforttopickonechangeprocess– TheresulOngprovisioningprocessshouldaccommodatemanydifferentchangeprocesses

Oct8,2009 ed.lewis@neustar.biz 9

Theproblem

•  Middlestep:RequestaswapofDSrecordsatparentand/orTAR– Anexternaldependency– Fewhavespecifiedhowthiswillbedone•  ThereisRFC4310(EPPforDNSSEC)butthathaslimitedscope

– Testbedsofferwebpages;keyscraperspick– BuildingscriptsforSEPchangeisnoteasy

•  Needstoaddress:security,servicelevelagreement

Oct8,2009 ed.lewis@neustar.biz 10

Whydidn'tRFC5011solvethis?

•  RFC5011"AutomatedUpdatesofDNSSECTrustAnchors"– NomenOonofredistribuOonissues– NoconfirmaOonstep(notneededbecausethiswasn'tmeantforredistribuOontootherparOes)

•  WithoutconfirmaOon,thisdoesn'tprovidethenecessaryfeedbacktotheprovisioningclient

Oct8,2009 ed.lewis@neustar.biz 11

VisualizingtheProblem

•  Thenextfiveslidesshowthesefoursteps– ThechildpublishesanewSEP(‐to‐be)– TheDS(newSEP)getstotheparent‐TAR– Parent‐TARpublishesthe(Signed)DS– ThechildrevokestheoldSEP

•  Hmm,beforeIsaidtherewerefivesteps– Thisfocusesonstep#2,#3,#4,dividing#3inhalf

Oct8,2009 ed.lewis@neustar.biz 12

SEP:Pre‐publishinDNS

Oct8,2009 ed.lewis@neustar.biz 13

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

SEP:RequestDSswap

Oct8,2009 ed.lewis@neustar.biz 14

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

SEP:RequestDSappearinparent

Oct8,2009 ed.lewis@neustar.biz 15

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

Or,viatheDNSin‐bandprotocol

SEP:Parent‐TARsigns

Oct8,2009 ed.lewis@neustar.biz 16

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

SEP:ConfirmDS

Oct8,2009 ed.lewis@neustar.biz 17

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

SEP:AcOvate‐revokeoldthatis

Oct8,2009 ed.lewis@neustar.biz 18

Child Parent‐TAR

DNSMaster

DNSSlave

DNSSlave

DNSMaster

DNSSlave

DNSSlave

DNSSECSigner

DataEntry

KeyMgmt

DNSSECSigner

DataEntry

KeyMgmt

Thebasicsteps

•  ThechildpublishesanewSEP•  TheDS(newSEP)getstotheparent‐TAR•  Parent‐TARpublishesthe(Signed)DS•  ThechildrevokestheoldSEP

•  TheabovelistdoesnotaddressingOming

•  Anditdoesn'taddressincludingallparent&TARs

Oct8,2009 ed.lewis@neustar.biz 19

SharedRegistryModel

•  ICANNhasspecifiedaparOcularmodel•  Basicidea‐separaOonbetweenregistrantandregistry,registrarismiddle‐man;noconsideraOonwasgiventoDNSoperaOons– Goodforbusiness– CausesabarrierforDNSin‐bandupdates

•  Butthisisnottheonlywaytodothis,arguablynoteventhemajorityofenvironments

Oct8,2009 ed.lewis@neustar.biz 20

TAR/TAROps

TAR/TAROps

GeneralizedProvisioningModel

Oct8,2009 ed.lewis@neustar.biz 21

RegistryRIR

RegistrarLIR

Registrant

ParentOperator

TAR/TAROps

ChildOperator

Remember,Provisioning

•  Whenlookingatthis,rememberwehavetothinkprovisioning(set‐up)andnotthelookup– Thismeansthattheparenthastogetthedataintotheregistry,notjustadynamicupdate

– ThisdoesnotprecludetheuseoftheDNSprotocoltopickupinformaOon

•  ThatiswhythevalidaOngcacheusingtheparent‐TARDSrecordisnotshown

Oct8,2009 ed.lewis@neustar.biz 22

Knownrequirements

•  FuncOon–  SendnewDNSKEY/DStoparentwhenitshouldreplaceexisOng;parentinformsofcompleOon;confirmaOon

– Moregeneral,weshouldusethetradiOonaladd/modify/deleteparadigmtoaccommodatemoresituaOons

•  Security‐Pair‐wiseauthenOcaOon,tamper‐proofxfer

•  Accountability‐ExisOngopsmodelsneedtobemaintained

•  Performance‐SLAforrequestandresponse•  Predictable‐E.g.,TimetocompleOon

Oct8,2009 ed.lewis@neustar.biz 23

Environments

•  RegistranttoRegistry,eachasownoperator•  DNSoutsourcedbyRegistrant•  DNSoutsourcedbyRegistry•  Registrarinthemiddle(orchainofthem)

•  RegistrarasDNSoperator•  Registranthasregistrarandseparateoperator•  EPPinterface,SOAP/XML‐basedapproaches

Oct8,2009 ed.lewis@neustar.biz 24

RelatedProblem

•  SomeDNSoperatorsaresigningalloftheircustomer'szones

•  WhenoneoftheircustomerstransfersDNSoperaOons(withorwithoutchanging"registrar"),theoldDSrecordremainsintheregistry

•  IfthecustomercannotremovetheoldDS,thezonewillbegintofailDNSSECvalidaOon

Oct8,2009 ed.lewis@neustar.biz 25

Thenextfewslidesareforideas

•  Afewenvironmentsaresketchedout•  Notcomplete,notparOcularlyimportant

•  Buttheretocapturethewiderissuesinvolved

Oct8,2009 ed.lewis@neustar.biz 26

FudgingintoanEPPSRM

Oct8,2009 ed.lewis@neustar.biz 27

gTLDRegistrarRegistrant

ChildDNS

Operator

DNSSub‐system

EPP

DynamicUpdate

HTTPS

Registrar"knowsall"

AsanaddiOontoEPPSRM

Oct8,2009 ed.lewis@neustar.biz 28

gTLDRegistrarRegistrant

ChildDNS

Operator

DNSSub‐system

EPP

Dyn‐Update

HTTPS

newmethod

NoRegistrar,outsourcedDNS

Oct8,2009 ed.lewis@neustar.biz 29

gTLDRegistrant

ChildDNS

Operator

DNSSub‐system

Dyn‐Update

newmethod

ReverseMap

Oct8,2009 ed.lewis@neustar.biz 30

RIRLIR/ISPCustomer

ChildReverseMap

in‐addr/ipv6DNS

LIRReverseMap

UnsignedRegistry,mulOpleTAR(s)

Oct8,2009 ed.lewis@neustar.biz 31

RegistryRIR

RegistrarLIR

Registrant

ParentOperator

TAR/TAROps

ChildOperator

TAR/TAROps

SoluOonsareTempOng

•  AfewproposedsoluOonshavebeenoutthere•  Someclaimoutforyears

•  Butthere'sbeennogoodcutatrequirements

•  WhendoweneedasoluOon?– Ofcoursenow,but,let'ssolvetherightproblem

Oct8,2009 ed.lewis@neustar.biz 32

UlOmately

•  Astandardcan'tbemandatedforallenvironments,butweneedtohaveageneralpurposesoluOon

•  OrwewillconOnuetohaveissues•  Onlyastandardwillgrow

Oct8,2009 ed.lewis@neustar.biz 33

I'mDone

•  Thisisthelastslide–  I'mnotevengoingto"ask"iftherearequesOons.

– Discussionsareboundtofollow...maybenotrightnowinthemeeOng,butlater

Oct8,2009 ed.lewis@neustar.biz 34