Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Moritz Müller; Matthew Thomas; Duane Wessels; Wes Hardaker; Taejoong Chung; Willem Toorop; Roland van Rijswijk-Deij

doi:10.1145/3355369.3355570

Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Moritz Müller, Matthew Thomas, Duane Wessels, Wes Hardaker, Taejoong Chung, Willem Toorop, Roland van Rijswijk-Deij

Design and Analysis of Communication Systems

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

5 Citations (Scopus)

33 Downloads (Pure)

Abstract

The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".

In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.

Original language	English
Title of host publication	IMC '19
Subtitle of host publication	Proceedings of the Internet Measurement Conference
Publisher	Association for Computing Machinery
Pages	1-14
Number of pages	14
ISBN (Electronic)	9781450369480
ISBN (Print)	978-1-4503-6948-0
DOIs	https://doi.org/10.1145/3355369.3355570
Publication status	Published - 21 Oct 2019
Event	Internet Measurement Conference, IMC 2019 - Koninklijk Instituut voor de Tropen, Amsterdam, Netherlands Duration: 21 Oct 2019 → 23 Oct 2019 https://conferences.sigcomm.org/imc/2019/

Conference

Conference	Internet Measurement Conference, IMC 2019
Abbreviated title	IMC
Country/Territory	Netherlands
City	Amsterdam
Period	21/10/19 → 23/10/19
Internet address	https://conferences.sigcomm.org/imc/2019/

Keywords

Cybersecurity

Access to Document

10.1145/3355369.3355570

Distinguished Paper Award
Muller, M. C. (Recipient), Thomas, M. (Recipient), Wessels, D. (Recipient), Hardaker, W. (Recipient), Chung, T. (Recipient), Toorop, W. (Recipient) & van Rijswijk - Deij, R. M. (Recipient), 21 Oct 2019
Prize

Cite this

@inproceedings{4f4e6b94e95444dd8c4870f509be62d4,

title = "Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover",

abstract = "The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, {"}an overwhelming success{"} and during the rollover they detected {"}no significant outages{"}.In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.",

keywords = "Cybersecurity",

author = "Moritz M{\"u}ller and Matthew Thomas and Duane Wessels and Wes Hardaker and Taejoong Chung and Willem Toorop and Rijswijk-Deij, {Roland van}",

year = "2019",

month = oct,

day = "21",

doi = "10.1145/3355369.3355570",

language = "English",

isbn = "978-1-4503-6948-0",

pages = "1--14",

booktitle = "IMC '19",

publisher = "Association for Computing Machinery",

address = "United States",

note = "Internet Measurement Conference, IMC 2019, IMC ; Conference date: 21-10-2019 Through 23-10-2019",

url = "https://conferences.sigcomm.org/imc/2019/",

}

Müller, M, Thomas, M, Wessels, D, Hardaker, W, Chung, T, Toorop, W & Rijswijk-Deij, RV 2019, Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover. in IMC '19: Proceedings of the Internet Measurement Conference. Association for Computing Machinery, pp. 1-14, Internet Measurement Conference, IMC 2019, Amsterdam, Netherlands, 21/10/19. https://doi.org/10.1145/3355369.3355570

Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover. / Müller, Moritz; Thomas, Matthew; Wessels, Duane et al.
IMC '19: Proceedings of the Internet Measurement Conference. Association for Computing Machinery, 2019. p. 1-14.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Roll, Roll, Roll your Root

T2 - Internet Measurement Conference, IMC 2019

AU - Müller, Moritz

AU - Thomas, Matthew

AU - Wessels, Duane

AU - Hardaker, Wes

AU - Chung, Taejoong

AU - Toorop, Willem

AU - Rijswijk-Deij, Roland van

PY - 2019/10/21

Y1 - 2019/10/21

N2 - The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.

AB - The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.

KW - Cybersecurity

U2 - 10.1145/3355369.3355570

DO - 10.1145/3355369.3355570

M3 - Conference contribution

SN - 978-1-4503-6948-0

SP - 1

EP - 14

BT - IMC '19

PB - Association for Computing Machinery

Y2 - 21 October 2019 through 23 October 2019

ER -

Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Abstract

Conference

Keywords

Access to Document

Fingerprint

Prizes

Distinguished Paper Award

Cite this