Improving DNSSEC Provisioning with 3rd Party DNS Providers

Transcript

1. Improving DNSSEC Provisioning with 3rd party DNS Providers Shumon Huque,

   Steve Crocker 8th February 2020 32nd DNS OARC Workshop, San Francisco, CA 1 6 February 2020

2. Two Problems 1. DNSSEC requires the registry to have a

   DS record associated with the zone. When 3rd party DNS providers generate the key(s) and sign the zone, there is no well defined path for providing the DS record to the registry. (Some ccTLDs are implementing RFC 8078.) 2. If multiple 3rd party DNS providers are serving the same zone, each is signing with its own key, they each need to include the ZSKs (or CSKs) of the other providers. “Multi-Signer DNSSEC Models” defines the general scheme, but there is no well defined protocol for coordination of the cross-signing process between the providers. 2 6 February 2020

3. Entities and Functions Entities • Registry • Registrar • Registrant

   • Authoritative DNS Provider • (Secondary DNS Provider) Functions • Zone Management • Keygen & Signing • Zone Publishing • Communication of DS/KSK records • Coordination of Cross-Signing 3 6 February 2020

4. Conveying a new DS record • When zone’s KSK (or

   CSK) is rolled, the registry gets revised DS record • Several methods are possible, based on three attributes • Push vs Pull: The zone manager can push it upward or one of the higher entities can poll for it. • The higher entity may be the Registrant, the Registrar or the Registry • The data conveyed may be the DS record, the KSK, or both • Possible work: including 3rd party operators in the RRR system (formally designating them; using delegated authorization schemes ..) 4 6 February 2020

5. Conveying the DS key from 3rd party DNS Provider Direction

   Upper Side Push (Calling) Pull (Polling) Registry RFC 8078 Registrar Extension to Domain Connect Registrant Manual 6 February 2020 5 Registry Registrar Registrant DNS provider

6. Coordinating Cross-Signing 6 February 2020 6 Coordinator 1 KeyGen/Signing Publication

   KeyGen/Signing Publication 2 2a 2b Registrant coordinates either by itself or through new service. DNS Providers cooperate 1 1 2 New DNS records with names of sibling providers New Contacts in DNS Registration with names of sibling providers Options for communicating ZSKs

7. How to Get Involved • [email protected] is a design team

   mailing list (Send mail to [email protected]) Looking for a few more DNS providers and registrars Note: there will be a DNSSEC Provisioning panel discussion at ICANN67 in Cancun next month (11 March 2020). 6 February 2020 7

8. Appendix: Diagrammatic Toolbox 6 February 2020 8

9. Some Signed DNS Service Configurations This list is not exhaustive

   Registrar Provides DNS Service Registrant Provides DNS Service Single Outsourced DNS Multiple Outsourced DNS Registry DS pull Registrar ZM, KG, Pub, DS Registrant ZM, KG, Pub, DS ZM ZM, CCS, DS pull DNS Provider(s) KG, Pub KG, Pub ZM = Zone Management KG = Key Generation and Signing CCS = Coordination of Cross-signing Pub = Publication • DS pull = DS record is pulled (by polling) from Publisher • DS push = DS record is pushed upward via the Registrar • (DS pull) indicates a possibility with no known examples • DS pull/push? Indicates uncertainty if this is possible 9 6 February 2020

10. DNSSEC Provisioning Configuration Options 6 February 2020 10 Registry Registrar

    Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication

11. Registrar Provides DNS Service 6 February 2020 11 Registry Registrar

    Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM DS KG Pub

12. Registrant Provides DNS Service 6 February 2020 12 Registry Registrar

    Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM DS KG Pub

13. Single Outsourced DNS Provider w RFC 8078 6 February 2020

    13 Registry Registrar Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM DS KG Pub

14. Single Outsourced DNS Provider – Registrant pulls 6 February 2020

    14 Registry Registrar Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM DS KG Pub

15. Multiple Outsourced DNS Providers 6 February 2020 15 Registry Registrar

    Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM Pub Pub KG KG CCS DS

16. Registrar with Domain Connect 6 February 2020 16 Registry Registrar

    Registrant DNS provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication ZM Pub KG DS

17. Additional Configuration 6 February 2020 17 Registry Registrar Registrant DNS

    provider Additional DNS providers ZM CCS KG Pub DS DS Zone Management Receive DS (push) Get DS (pull) Coordination of Cross- Signing Key Generation and Signing Publication