DNS/DNSSEC and Domain Transfers: Are they compable · DNSSEC affects transfers of signed domains,...
Transcript of DNS/DNSSEC and Domain Transfers: Are they compable · DNSSEC affects transfers of signed domains,...
DNS/DNSSECandDomainTransfers:Aretheycompa:ble ?
OlafurGudmundssonSteveCrockerShinkuroinc.
{ogud,steve}@shinkuro.com
Background
• ShinkurowasaskedbyORGtolookintohowDNSSECaffectstransfersofsigneddomains,– Inpar:cularwhenRegistraroperatestheDNSservicefortheDomainholder.
• Wehavespendmanymonthsworkingoutsolu:onsthatfitintotherealworld– RunningDNSSECtransfertestswithearlyadop:ngregistrarsfororg.
3/9/10 DNSandDNSSECoperatorchanges 2
Approach
• Thispresenta:onisfromtheperspec:veoftheDNSprotocol,DNSsoUwareandisaimedathighligh:ngtherealworldissues.
• Goals:– Eliminateand/orminimizeDNSresolu:onerrorsandservicecalls
– Minimizeworkby“old”operators
3/9/10 3DNSandDNSSECoperatorchanges
Approach(cont)
• Assump:ons:– Allpar:esarewillingtobeminimallycoopera:ve.
• Withoutcoopera:onDNSresolu:onerrors
– OnlyDNSisbeingchangedallotherservicesareignored.
3/9/10 4DNSandDNSSECoperatorchanges
Approach(cont)
• HowthebehaviorofcertainDNSarchitecturalelementsaffectthesteps,atthe:meof:
• DNSoperatorchange• Registrartransfer• DNSSECkeychange
• WhatDNScomponentsneedtobetakenintoaccountwhenchangingoperators
• Parent/Registry/Registrarbehavior• Authorita:veserverbehavior• Resolver’sbehavior• TTLvaluesandimpact
3/9/10 DNSandDNSSECoperatorchanges 5
RolesandNota:on• Domainholder:(H)
– Theen:tythathastheregistra:onforadomain• DNSoperator:(O=old)(N=new)
– OperatestheDNSserversforthedomainandmaintainsthezone• Registrar:(R)
– ThepartythattheDomainholderhascontractedwithtoregisterthedomain• FromH’sperspec:veRegistryisnotvisible.
• Parent:– TheDNSdomainthathasthedelega:ontothezone
• ContentProvider:– Ignoredinthispresenta:on
• Red=ERROR,Blue=Op:onal,Orange=notdesired/par:alfailure
3/9/10 6DNSandDNSSECoperatorchanges
DNScontrolplanefordomains:Recordtypes
• NSliststhesetofhoststhatactasauthorita:venameserversforazone– Appearsintwoplaces
• asahintintheparent,unsigned• Authorita:veinthechild,signed.
• DNSKEYthekey(s)thatcansignthedatainthezone,– Residesatthechildsizeofthedelega:on
• DSthekey(s)authorizedtosignthechildDNSKEYset– Residesattheparentsideofthedelega:on,signedbyparent.
3/9/10 7DNSandDNSSECoperatorchanges
Simplifiedmodel
• Newoperatorcreatesandloadsazone– Dataisavailablebutnotvisibleasparentpointstooldoperator.
• MomentofDNSchange:– WhenparentchangesNSsettopointtonewoperator.
• Newoperator’sdatabecomesvisible
– BUT3/9/10 8DNSandDNSSECoperatorchanges
Complica:on#1:TTL
• AllDNSRRsetscanbestoredandreusedbyDNSresolvers/cachesforcertain:meaUerrecep:on.– Resolversthatknowaboutoldoperatorwillkeepaskingoldoperatorun:ltheNSsetexpiries.• Un:lNSsetexpirestheonlyreasonforresolvertoaskparentanyques:onaboutthedomainistorefreshtheDSrecord.
3/9/10 9DNSandDNSSECoperatorchanges
DNSOperatorChange:whathappens
Parent
Resolver
NewOld
Before
During
AUer
Complica:on#2:Resolverbehaviors
• Centricity:• SomeresolversonlyusetheNSsetfromthechild• Othersjustusetheonefromtheparent
• TTLstretching:• Whenaniden?calcopyofacachedRRsetfromthesamesourceisseen– someresolversusethenewcopytorefreshtheTTL
– resolverscanbes:ckytooldoperator.• Errorrecovery:
• EvenwhenNONEoftheauthorita:veserversanswersresolverswillnotaskparentfornewercopyofNS.– Thisiscommonoperatormistake/…….– askingparentrepeatedlywillonlyyieldsamebaddata,
» Onlycausesextraload
3/9/10 11DNSandDNSSECoperatorchanges
DNSoperatorchange(script)
• Domainholder(H)isusingOasDNSoperator• HasksNtobecomenewDNSoperator• HassistsNininstan:a:ngacopyofthezone
– Omayormaynotbeinvolved.• NgivesHanewNSset.• HviaR(registrar)tochangestheNSsettopointtoN• HasksOtochangeitsNSsettoN’s
– Thisisop:onalforO• HwaitsforoldcopiesofNSsetstoexpirei.e.newNSsetto
becomegloballyvisible.• HasksOtostopDNSservice
– Oshouldstopserviceassoonaspossible.
3/9/10 12DNSandDNSSECoperatorchanges
Whatcangowrong:
• IfOstopsservicebeforeparentNSischanged:– TotalDNSfailureonalllookups
• IfOstopsservicebeforeallresolvershavemigratedover:– Someresolversmayexperienceoutage
• Hardtodiagnoseasthisdependsonthestateoflocalresolvers• IfOdoesnotstopservicewhenaskedto
– Somechild‐centrics:ckyresolversmayneverdiscovertheoperatorchange
• NisnotreadywhenNSischanged:– DNSresolu:onfailure
3/9/10 13DNSandDNSSECoperatorchanges
TTLeffects
• Howfastoperatorscanbechanged:isdictatedbytheTTLontheDNScontrolplaneRRsets!
• InmanycasesthePARENTselectedTTL’sdominatethewait:mes.– ManyTLD’shaveTTL’sonNSsetsthatareinday’s
3/9/10 14DNSandDNSSECoperatorchanges
DNSSECoperatorchange
• Assump:on:– NewandOldDNSoperatorswillusedifferentkeystosigndatainthezone.
• Goal:– WanttoavoidbothDNSresolu:onfailuresandDNSSECvalida:onerrors!!• Followsameapproach• DuringchangeresolversMUSTbeabletovalidatesignaturesbybothoperators.
• ActuallythisisKeyRolloverandOperatorchangerolledintoone
3/9/10 15DNSandDNSSECoperatorchanges
DNSSECprecondi:ons
• DSsetMUSTcontainauthoriza:onforbothoperatorsKSK’sduringthechange
• BothDNSKEYRRset’sMUSTcontainZSK’sforbothoperatorsduringchange.
• NewDNSKEYandDSsetsMUSTbegloballyvisible– beforeNSsetinparentischanged.
3/9/10 16DNSandDNSSECoperatorchanges
Script:BeforeDNSSECoperatorchange
• HcontractswithNtooperatezone• Ninstan:atesazone,– GeneratesnewKSKandZSK,
• DNSKEYsetincludesZSKOisusing.– ProvidesHwithnewNSandDSrecords
• HasksOtoaddN’sZSKtoitscopyofzone• HviaRaddsN’sDSrecordtotheonesforO• HwaitsfornewDSandDNSKEYtobecomegloballyvisible.– Max(O’sNSTTL,P’sNSTTL,DSTTL)
3/9/10 17DNSandDNSSECoperatorchanges
OperatorChangeandaUer
• HviaRchangesNSsettopointtoN• HasksOtochangeNSsettopointtoN– Op:onalstep
• HwaitsforoldNS’stoexpiremaxTTLonNSsets
• HasksOtostopservice.• Hwaitsforlaggardresolverstodetectchange• HviaRtoremovesDSrecordsforO• HasksNtoremoveZSKrecordsforO
3/9/10 18DNSandDNSSECoperatorchanges
Howcanchangegowrong?
• OrefusestoaddN’sZSK– signedOperatorChangenotpossible
• thisbehaviorcomplicatesthings.
• Oturnsoffservicebeforechangesinparenthavehad:metopropagate– DNSresolu:onfailures.
• HcannotupdateDSrecords– OperatorChangenotpossible
3/9/10 19DNSandDNSSECoperatorchanges
Considera:ons
• Hdoesnotwaitlongenoughforolddataforexpirefromthesystem– Someresolversmayexperiencefailures
• ThisisH’schoice
• OdoesnotchangeNStoreflectN– Mi:ga:ons:
• OcanslavefromNandthenthingsworkgreat
• OcanlowerTTLonNSandDNSKEYtoforceresolverstoforgetitsNSset.
3/9/10 20DNSandDNSSECoperatorchanges
Nowbacktotherealworld
• ThepreviousslidesassumedHknewwhattodoandhadtheabilitytodoso.– HcangiveNtheauthoriza:ontoperformitstasks
• WhenRegistrarisalsotheDNSOperator
– ChangetheDNSOperatorfirst
– ThenchangetheRegistrar• ISSUE:HnotabletoinsertnewDSrecordsbeforechange.
3/9/10 21DNSandDNSSECoperatorchanges
RegistryDNSSECrequirements
• Signzoneandprocessupdatesinnearreal‐:me.
• AcceptDSrecordsviaEPP– AcceptmorethanoneDSrecordperdelega:on
• Orgallows12• RolloversworkbeserifDSispublishedbeforechange
– Op:onal:acceptDNSKEYrecordsandgenerateDSrecords
3/9/10 22DNSandDNSSECoperatorchanges
RequirementsforRegistrars:DNSSECSignedDomains
• RegistrarsmustsupportDNSSECEPPextensions
• InterfacesmustbeupdatedtoacceptDSrecords– add+deleteopera:ons– Op:onal:acceptDNSKEYrecords
• SeparateaccountforTechnicalContact– CanonlychangeNSandDSrecords
3/9/10 23DNSandDNSSECoperatorchanges
RequirementsforDNSoperators
• MUSTacceptDNSKEYrecordfromdomainholder
• ShouldchangeNSwhenasked• MUSTturnoffservicewhenaskedbutnotbefore.
3/9/10 DNSandDNSSECoperatorchanges 24
DNSSECTransferTes:ngforORG
• Asademonstra:onthatitispossibletochangeDNSoperatorsandRegistrarswehaveworkedwithorgandtworegistrars– NamesBeyond– DynDNS
• Foreachregistrarthereareupto13testswhereitistheoriginalregistrar
• Thereareupto4testswhereitisdes:na:onregistrar.
3/9/10 25DNSandDNSSECoperatorchanges
Tes:ngsheet
3/9/10 26DNSandDNSSECoperatorchanges
Tes:ngsheet(cont)
3/9/10 DNSandDNSSECoperatorchanges 27
Tes:ngResults
• Registrarinterfacesneededfixing– Allminorissues
• Mostoftes:ngperformedbyoutsiders(us)
• TimetoperformtestsdominatedbyORG’sTTLof1day
• Actualtestsinprogress.
3/9/10 28DNSandDNSSECoperatorchanges
DNSSECRegistrarConsidera:ons
• RegistrarthatoperatesONLYasregistrarforadomain– NeedstoupdateUIandEPPwithparents
• Add/deleteDS/DNSKEY
3/9/10 DNSandDNSSECoperatorchanges 29
BundledDNSSECRegistrarconsidera:ons
• RegistrarthatoperatesDNSasvalueaddedservice
• NeedstounderstandtheextrarequirementsthatbeingaDNSSECoperatormeans
• MustacceptnewDNSKEYrecordsfromdomainholder
– Transferpolicies:?– BlockTransfersun:laUerDNSopera:onhasbeentransferred.– OperateDNSserviceforagraceperiodaUerTransfer– Other
3/9/10 DNSandDNSSECoperatorchanges 30
RegistryPolicyQues:ons
• WhencanaDNSSECdomainbetransferred?– BetweenDNSSECcapableregistrars?
• HowmanyDSrecordareallowed?
• WillregistrylowerTTL’sonupondemand?
• Whatcer:fica:ontes:ngisrequiredforDNSSECregistrars?
• DoesregistryacceptDSand/orDNSKEYrecords?
3/9/10 DNSandDNSSECoperatorchanges 31
Conclusions
• “Allatonce”DNSSECTransferisimpossible• With“DNSfirst,Registra:onsecond”Transferis:
3/9/10 DNSandDNSSECoperatorchanges 32