Beruflich Dokumente
Kultur Dokumente
5 Sep 2017
|1
What is DNSSEC?
|2
Chain of Trust
¤ Q: If a zone publishes its public key, how can you trust it?
¤ A: The parent zone uses its private key to sign the child
Root Trust Anchor
zone’s public key.
¤ This process goes all the way to the DNS root zone.
Example:
The Root
¤ WWW.EXAMPLE.COM is signed with EXAMPLE.COM’s
private key
¤ EXAMPLE.COM’s public key signed with COM’s private key
COM
¤ COM’s public key signed by the root’s private key
¤ The root’s public key is not signed by anyone: we need to
EXAMPLE.COM
just trust it
¤ The root zone’s public key is called the root trust anchor
¤ To validate WWW.EXAMPLE.COM’s DNS data, we build a
chain of trust from EXAMPLE.COM’s public key to COM’s
www.example.com
public key to the root’s public key.
¤ And the root’s public key is distributed with every validating
resolver.
|3
Root Zone KSK
|5
Why Resolver Operators Need to Prepare
¤ If these validating resolvers have not configured the new root zone
KSK when the new KSK is put into use on 11 October 2017, end
users relying on those resolvers will encounter errors and be
unable to look up any name on the Internet.
|6
How Do Resolver Operators Update Their Trust Anchor?
|7
Check to See If Your Systems Are Ready
|8
Three Steps to Recovery
Debug
If the problem is the trust anchor, find out why it isn’t correct
o Did RFC 5011 fail? Did configuration tools fail to update the
trust anchor (was the configuration file writable or was the
disk full)?
Re-enable DNSSEC
✔ If you turned it off
|9
For More Information
1 Visit https://icann.org/kskroll
2 Join the conversation online
o Use the hashtag #KeyRoll
o Sign up to the mailing list
https://mm.icann.org/listinfo/ksk-rollover
3 Ask a question to globalsupport@icann.org
o Subject line: “KSK Rollover”
4 Attend an event
o Visit https://features.icann.org/calendar to find
upcoming KSK rollover presentations in your region
| 10