DNSSEC Root Key Rollover Redux
The Internet Corporation for Assigned Names and Numbers (ICANN) just published their review of the recent domain name system (DNS) root zone key rollover. The rollover occurred on October 11, 2018. Please read my prior post for background on DNSSEC and role of the root zone key.
ICANN's summary report concludes that the rollover was indeed an "overwhelming success" given the very small number of disruptions detected during the rollover process. The report provides a logical and thorough timeline of the planning leading up to and encompassing the rollover. The report also highlighted several observations of the rollover process, summarized following:
ICANN's summary report concludes that the rollover was indeed an "overwhelming success" given the very small number of disruptions detected during the rollover process. The report provides a logical and thorough timeline of the planning leading up to and encompassing the rollover. The report also highlighted several observations of the rollover process, summarized following:
- The vast diversity of resolver software implementations and configurations on the global Internet renders impossible the ability to predict general resolver behavior leading up to and during a rollover. And the lack of measurement capability prevents assured readiness assessment for major DNS changes. So ICANN and the DNS technical community at large was pleasantly surprised with the relatively tiny level of DNS disruptions due to the rollover and subsequent revocation of the prior key in January, 2019.
- Given the design principle recommending longer keys (2048 bits in this case) for key signing keys, there was concern that the DNSKEY resource record set would exceed packet transmission sizing and necessitate DNS packet fragmentation. This concern was largely unfounded.
- Signalling trust anchor knowledge tactics specified in RFC 8145 proved minimally useful.
- Some resolver operators are not well versed on DNSSEC configuration specifics, so operator surveys proved unreliable.
- Resolver vendors on the other hand proved knowledgeable and responsive in addressing detected issues.
- The lengthy rollover process between announcement of the rollover and its execution reduced the sense of urgency on the process and ICANN communiques related to the process.
- While ICANN utilized various forms of outreach to inform the Internet community of the forthcoming rollover, the lack of feedback on each mode makes it difficult to measure effectiveness of each approach.
- The ICANN testbed was not helpful in helping users understand and test the impact of the rollover.
The bottom line is that DNSSEC key singing key rollover was incredibly successful, for which all in the ICANN and the Internet community, the DNS community in particular deserve hearty congratulations. Observations from this inaugural rollover will serve to improve the process for the next rollover. Please read the full report for full details.
Comments
Post a Comment