10.1145/3355369.3355570acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
research-article

Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Online:21 October 2019Publication History

ABSTRACT

The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".

In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.

References

  1. IANA. DNSSEC Practice Statement for the Root Zone KSK Operator. https://www.iana.org/dnssec/dps/ksk-operator/ksk-dps.txt, 2016.Google ScholarGoogle Scholar
  2. KSK Rollover Design Team. Root Zone KSK Rollover Plan. https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf, 04 2016.Google ScholarGoogle Scholar
  3. D. Wessels, W. Kumari, and P. Hoffman. Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC). RFC 8145 (Proposed Standard), April 2017. Updated by RFC 8553.Google ScholarGoogle Scholar
  4. ICANN. KSK Rollover Postponed. https://www.icann.org/news/announcement-2017-09-27-en, 2017.Google ScholarGoogle Scholar
  5. ICANN Board. Board Approval of KSK Roll. https://www.icann.org/resources/press-material/release-2018-09-18-en, 2018.Google ScholarGoogle Scholar
  6. ICANN. Review of the 2018 DNSSEC KSK Rollover. https://www.icann.org/en/system/files/files/review-2018-dnssec-ksk-rollover-04mar19-en.pdf, 03 2019.Google ScholarGoogle Scholar
  7. Ramaswamy Chandramouli and Scott Rose. Secure Domain Name System (DNS) Deployment Guide. NIST Special Publication, 800, September 2006.Google ScholarGoogle ScholarCross RefCross Ref
  8. Verisign DNSSEC PMA. DNSSEC Practice Statement for the Root Zone ZSK Operator. https://www.iana.org/dnssec/dps/zsk-operator/dps-zsk-operator-v2.0.pdf, 2017.Google ScholarGoogle Scholar
  9. NTIA. NTIA Announces Intent to Transition Key Internet Domain Name Functions. https://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions, 2014.Google ScholarGoogle Scholar
  10. ICANN. Operational Plans for the Root KSK Rollover. https://www.icann.org/resources/pages/ksk-rollover-operational-plans, 2016-2018.Google ScholarGoogle Scholar
  11. Gijs Van Den Broek, Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC Meets Real World: Dealing with Unreachabilitty Caused by Fragmentation. IEEE Communications Magazine, 52(4):154--160, 6 2014.Google ScholarGoogle ScholarCross RefCross Ref
  12. Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. Netalyzr: Illuminating the Edge Network. In Proceedings of ACM IMC 2010, pages 246--259. ACM, 2010.Google ScholarGoogle Scholar
  13. M. StJohns. Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011 (Internet Standard), September 2007.Google ScholarGoogle Scholar
  14. J. Abley, J. Schlyter, G. Bailey, and P. Hoffman. DNSSEC Trust Anchor Publication for the Root Zone. RFC 7958 (Informational), August 2016.Google ScholarGoogle Scholar
  15. NLnet Labs. Man-Page: Unbound Anchor. https://www.nlnetlabs.nl/documentation/unbound/unbound-anchor/.Google ScholarGoogle Scholar
  16. Moritz Müller, Matthew Thomas, Duane Wessels, Wes Hardaker, Taejoong Chung, Willem Toorop, and Roland van Rijswijk-Deij. Roll Roll Roll Your Root: Accompanying Data Sets. https://github.com/SIDN/RollRollRollYourRoot.Google ScholarGoogle Scholar
  17. Internet Assigned Numbers Authority (IANA). Root Servers. https://www.iana.org/domains/root/servers.Google ScholarGoogle Scholar
  18. DNS Operations and Analysis Center (DNS-OARC). Day-in-the-Life Datasets. https://www.dns-oarc.net/oarc/data/ditl.Google ScholarGoogle Scholar
  19. Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. A Day at the Root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41--46, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. ICANN. Root Server System Advisory Committee. https://www.icann.org/groups/rssac.Google ScholarGoogle Scholar
  21. RSSAC Caucus. RSSAC002 version 3 -- RSSAC Advisory on Measurements of the Root Server System, Jun 2016.Google ScholarGoogle Scholar
  22. RSSAC. RSSAC002 Datasets. https://github.com/rssac-caucus/RSSAC002-data.Google ScholarGoogle Scholar
  23. Roland van Rijswijk-Deij, Taejoong Chung, David Choffnes, Alan Mislove, and Willem Toorop. The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover. In Proceedings of the 2017 SIGCOMM Posters and Demos, Part of ACM SIGCOMM 2017, Los Angeles, CA, USA, 2017. ACM Press.Google ScholarGoogle Scholar
  24. RIPE NCC Staff. RIPE Atlas: A Global Internet Measurement Network. Internet Protocol Journal (IPJ), 18(3), Sep 2015.Google ScholarGoogle Scholar
  25. G. Huston, J. Damas, and W. Kumari. A Root Key Trust Anchor Sentinel for DNSSEC. RFC 8509 (Proposed Standard), December 2018.Google ScholarGoogle Scholar
  26. Luminati IO. Residential IP and Proxy Service for Businesses. https://luminati.io/, May 2018.Google ScholarGoogle Scholar
  27. Taejoong Chung, David Choffnes, and Alan Mislove. Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet. In Proceedings of ACM IMC 2016, 2016.Google ScholarGoogle Scholar
  28. Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In Proceedings of USENIX Security 2017, 2017.Google ScholarGoogle Scholar
  29. Luminati. Luminati End User License Agreement. https://luminati.io/license.Google ScholarGoogle Scholar
  30. NLnet Labs. Unbound DNS Resolver. https://www.unbound.net/.Google ScholarGoogle Scholar
  31. ICANN. 2018 KSK Rollover Operational Implementation Plan. https://www.icann.org/en/system/files/files/2018-ksk-roll-operational-implementation-plan.pdf, 04 2018.Google ScholarGoogle Scholar
  32. ICANN, Office of the CTO. Staff Report of Public Comment Proceeding. https://www.icann.org/en/system/files/files/report-comments-ksk-rollover-restart-23apr18-en.pdf, 04 2018.Google ScholarGoogle Scholar
  33. NLnet Labs. Man-Page: unbound.conf. https://nlnetlabs.nl/documentation/unbound/unbound.conf/.Google ScholarGoogle Scholar
  34. Ólafur Guðmundsson. DNSKEY cache purge. Comment at the mic during DNS-OARC 29 meeting in Amsterdam, https://www.youtube.com/watch?v=yT51FwPG0jE&t=6782, Oct 2018.Google ScholarGoogle Scholar
  35. Not Disclosed. European ISP flushing DNSKEY from cache before the rollover. Private correspondence, Oct 2018.Google ScholarGoogle Scholar
  36. Wouter B De Vries, Roland Van Rijswijk-Deij, Pieter-Tjerk de Boer, and Aiko Pras. Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA), pages 1--8. IEEE, 2018.Google ScholarGoogle ScholarCross RefCross Ref
  37. Stephen Murphy. 'Significant percentage' of Eir customers affected by broadband outage. https://www.rte.ie/news/2018/1013/1002966-eir-outage/, October 2018.Google ScholarGoogle Scholar
  38. Geoff Houston. Roll Over and Die? http://www.potaroo.net/ispcol/2010-02/rollover.html, February 2010.Google ScholarGoogle Scholar
  39. Geoff Houston. Measuring the Root Zone KSK Trust. https://blog.apnic.net/2018/04/11/measuring-the-root-zone-ksk-trust/, April 2018.Google ScholarGoogle Scholar
  40. Wes Hardaker. Configurations and Scripts to Test BIND Behavior in the Absence of a Valid Trust Anchor. https://github.com/hardaker/isc-bind-dnskey-bug-test.Google ScholarGoogle Scholar
  41. Geoff Huston. APNIC Blog: Analyzing the KSK Roll. https://labs.apnic.net/?p=1181, 10 2018.Google ScholarGoogle Scholar
  42. Peter B Danzig, Katia Obraczka, and Anant Kumar. An Analysis of Wide-Area Name Server Traffic. In Proceedings of ACM SIGCOMM 1992, pages 281--292, Baltimore, MD, USA, 1992. ACM Press.Google ScholarGoogle Scholar
  43. P.V. Mockapetris. Domain names - concepts and facilities. RFC 1034 (Internet Standard), November 1987.Google ScholarGoogle Scholar
  44. N. Brownlee, K.C. Claffy, and E. Nemeth. DNS Measurements at a Root Server. In Proceedings of IEEE GLOBECOM 2001, volume 3, pages 1672--1676, San Antonio, TX, USA, 2001. IEEE Computer Society.Google ScholarGoogle ScholarCross RefCross Ref
  45. Duane Wessels and Marina Fomenkov. Wow, That's a lot of packets. In Proceedings of the Passive and Active Network Measurement Workshop (PAM 2003), San Diego, CA, Apr 2003. PAM.Google ScholarGoogle Scholar
  46. M Lentz, D Levin, J Castonguay, N Spring, and B Bhattacharjee. D-mystifying the D-root Address Change. In Proceedings of ACM SIGCOMM 2013, pages 57--62, Barcelona, Spain, 2013. ACM Press.Google ScholarGoogle Scholar
  47. Duane Wessels, Jason Castonguay, and Piet Barber. Thirteen Years of "Old J-Root". In DNS-OARC 24, Montréal, Canada, 2015.Google ScholarGoogle Scholar
  48. Bernhard Ager, Holger Dreger, and Anja Feldmann. Predicting the DNSSEC Overhead Using DNS Traces. In Proceedings of the 40th annual IEEE Conference on Information Sciences and Systems, CISS 2006, pages 1484--1489, Princeton, NJ, USA, 2007. IEEE Comput. Soc.Google ScholarGoogle Scholar
  49. Wouter C A Wijngaards and Benno J. Overeinder. Securing DNS: Extending DNS Servers with a DNSSEC Validator. IEEE Security and Privacy, 7(5):36--43, 2009.Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Daniel Migault, Cédric Girard, and Maryline Laurent. A Performance View on DNSSEC Migration. In Proceedings of the 6th International Conference on Network and Service Management (CNSM 2010), pages 469--474, Niagara Falls, Canada, 2010. IFIP.Google ScholarGoogle Scholar
  51. R. Van Rijswijk-Deij, K. Hageman, A. Sperotto, and A. Pras. The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation. IEEE/ACM Transactions on Networking, PP(99), 2016.Google ScholarGoogle Scholar
  52. Amir Herzberg and Haya Shulman. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In 2013 IEEE Conference on Communications and Network Security, CNS 2013, pages 224--232, 2013.Google ScholarGoogle ScholarCross RefCross Ref
  53. Hao Yang, Eric Osterweil, Dan Massey, Songwu Lu, and Lixia Zhang. Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC. IEEE Transactions on Dependable and Secure Computing, 8(5):656--669, 2011.Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. Warren "Ace" Kumari, Evan Hunt, Roy Arends, Wes Hardaker, and David C Lawrence. Extended DNS Errors. Internet-Draft draft-ietf-dnsop-extended-error-05, Internet Engineering Task Force, March 2019. Work in Progress.Google ScholarGoogle Scholar
  55. Various Authors. KSK Rollover Mailing List Archive, March 2019. https://mm.icann.org/pipermail/kskA-rollover/2019-March/thread.html.Google ScholarGoogle Scholar
  56. Mark Allman, Robert Beverly, and Brian Trammell. Principles for Measurabilitty in Protocol Design. ACM SIGCOMM Computer Communication Review, 47(2):2--12, 2017.Google ScholarGoogle ScholarDigital LibraryDigital Library

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in
  • Published in

    ACM Conferences cover image
    IMC '19: Proceedings of the Internet Measurement Conference
    October 2019
    497 pages
    ISBN:9781450369480
    DOI:10.1145/3355369

    Copyright © 2019 ACM

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    • Online: 21 October 2019
    • Published: 21 October 2019

    Permissions

    Request permissions about this article.

    Request Permissions

    Qualifiers

    • research-article
    • Research
    • Refereed limited

    Acceptance Rates

    IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%
    Overall Acceptance Rate 156 of 625 submissions, 25%

    Upcoming Conference

    IMC '22
    IMC '22: ACM Internet Measurement Conference
    October 25 - 27, 2022
    Nice , France

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!