[AusNOG] KSK rollover timeline and how to check if your systems are ready

Mark Andrews marka at isc.org
Tue Sep 12 15:33:18 EST 2017 

+1000 to this.

You need to check *before* October 11 because if your validating
resolvers don't have the new KSK installed before then all you will
get out of them to EVERY query is SERVFAIL.

Current versions of BIND have the new trust anchor built in and it
will be used if you have "dnssec auto;" configured.

If "dig +dnssec isc.org" has the "ad" flag set in the DNS flags
then your resolver is validating and you need to check your resolver's
configuration.

e.g.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> +dnssec isc.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20356
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;isc.org.			IN	A

;; ANSWER SECTION:
isc.org.		60	IN	A	149.20.64.69
isc.org.		60	IN	RRSIG	A 5 2 60 20171011233354 20170911233354 60321 isc.org. SBKxd3l2YZfOW8PTHPp0jJZNuodSAxE+Muvc0BlUouGE4cQH2y+/sVo1 zq4bkXB+q2zmC3d1cBeN0dOmDOuV3YKTBOK4gQILmAgwM7KNKISG54Bp tcsgW0O9cHEYjLPWTFzY21TIkVOgE55ihHCtJ7+GVvcjWJlzeowlar3m ITg=

;; Query time: 480 msec
;; SERVER: 2001:470:a001:3::1#53(2001:470:a001:3::1)
;; WHEN: Tue Sep 12 15:08:00 AEST 2017
;; MSG SIZE  rcvd: 219

Note: Home CPE routers perform DNSSEC validation these days so don't
forget those boxes.

DNSMASQ should have multiple trust anchor clauses specified.

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE
32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC6834571042
37C7F8EC8D

https://github.com/imp/dnsmasq/blob/master/trust-anchors.conf

Mark

In message <A9DA11D8-9297-47F4-B588-A002D56FEBE9 at icann.org>, Save Vocea writes:
> Dear AusNOG list members,
>
>
>
> I’d appreciate if this is shared through your network /organizations
> and to check if your systems won’t be affected by the following change.
>
>
>
> The Internet Corporation for Assigned Names and Numbers (ICANN) is
> planning to roll, or change, the “top” pair of cryptographic keys use
> d in the Domain Name System Security Extensions (DNSSEC) protocol,
> commonly known as the Root Zone KSK. This will be the first time the KSK
> has been changed since it was initially generated in 2010, and is
> considered an important security step, in much the same way that
> regularly changing passwords is considered a prudent practice by any
> Internet user.
>
>
>
> What does that mean?
>
> Rolling the KSK means generating a new cryptographic public and private
> key pair and distributing the new public component to parties who operate
> validating resolvers, including: Internet Service Providers; enterprise
> network administrators and other Domain Name System (DNS) resolver
> operators; DNS resolver software developers; system integrators; and
> hardware and software distributors who install or ship the root's "trust
> anchor." The KSK is used to cryptographically sign the Zone Signing Key
> (ZSK), which is used by the Root Zone Maintainer to DNSSEC-sign the root
> zone of the Internet's DNS.
>
>
>
> Why do you need to prepare?
>
> Currently, 25% of global Internet users, or 750 million people, use
> DNSSEC-validating resolvers that could be affected by the KSK rollover.
> If these validating resolvers do not have the new key when the KSK is
> rolled, end users relying on those resolvers will encounter errors and be
> unable to access the Internet.
>
>
>
> How to know if your systems are up-to-date?
>
> ICANN is offering a test bed for operators or any interested parties to
> confirm that their systems handle the automated update process correctly.
> Check to make sure your systems are ready by visiting:
> http://go.icann.org/KSKtest.
>
>
>
> What is the timeline for this process?
> October 27, 2016: KSK rollover process begins as the new KSK is generated.
> July 11, 2017: Publication of new KSK in DNS.
> September 19, 2017: Size increase for DNSKEY response from root name
> servers.
> October 11, 2017: New KSK begins to sign the root zone key set (the
> actual rollover event).
> January 11, 2018: Revocation of old KSK.
> March 22, 2018: Last day the old KSK appears in the root zone.
> August 2018: Old key is deleted from equipment in both ICANN Key
> Management Facilities.
>
>
> More information about the root zone KSK rollover is available here:
> https://www.icann.org/resources/pages/ksk-rollover.
>
>
>
> Thank you,
>
>
>
> Save vocea
>
> VP, Global Stakeholder Engagement, Oceania
>
> ICANN
>
>
>
>
>
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list