The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover

R. van Rijswijk-Deij, T. Chung, D. Choffnes, A. Mislove, W. Toorop

Research output: Contribution to conferencePaperAcademicpeer-review

Abstract

The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.
Original languageEnglish
Pages63-64
DOIs
Publication statusPublished - 22 Aug 2017
EventAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017 - Los Angeles, United States
Duration: 21 Aug 201725 Aug 2017
https://conferences.sigcomm.org/sigcomm/2017/

Conference

ConferenceAnnual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017
Abbreviated titleACM SIGCOMM
CountryUnited States
CityLos Angeles
Period21/08/1725/08/17
Internet address

Fingerprint

Internet
Monitoring
Network protocols
Electronic document identification systems
Security systems

Keywords

  • DNS
  • DNSSEC
  • Active measurements
  • Internet stability

Cite this

van Rijswijk-Deij, R., Chung, T., Choffnes, D., Mislove, A., & Toorop, W. (2017). The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover. 63-64. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States. https://doi.org/10.1145/3123878.3131987
van Rijswijk-Deij, R. ; Chung, T. ; Choffnes, D. ; Mislove, A. ; Toorop, W. / The Root Canary : Monitoring and Measuring the DNSSEC Root Key Rollover. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States.
@conference{20cc575da16544febe89e35ab0af7ec6,
title = "The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover",
abstract = "The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.",
keywords = "DNS, DNSSEC, Active measurements, Internet stability",
author = "{van Rijswijk-Deij}, R. and T. Chung and D. Choffnes and A. Mislove and W. Toorop",
year = "2017",
month = "8",
day = "22",
doi = "10.1145/3123878.3131987",
language = "English",
pages = "63--64",
note = "Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, ACM SIGCOMM ; Conference date: 21-08-2017 Through 25-08-2017",
url = "https://conferences.sigcomm.org/sigcomm/2017/",

}

van Rijswijk-Deij, R, Chung, T, Choffnes, D, Mislove, A & Toorop, W 2017, 'The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover' Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States, 21/08/17 - 25/08/17, pp. 63-64. https://doi.org/10.1145/3123878.3131987

The Root Canary : Monitoring and Measuring the DNSSEC Root Key Rollover. / van Rijswijk-Deij, R.; Chung, T.; Choffnes, D.; Mislove, A.; Toorop, W.

2017. 63-64 Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States.

Research output: Contribution to conferencePaperAcademicpeer-review

TY - CONF

T1 - The Root Canary

T2 - Monitoring and Measuring the DNSSEC Root Key Rollover

AU - van Rijswijk-Deij, R.

AU - Chung, T.

AU - Choffnes, D.

AU - Mislove, A.

AU - Toorop, W.

PY - 2017/8/22

Y1 - 2017/8/22

N2 - The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.

AB - The Domain Name System (DNS) is part of the core of the Internet. Over the past decade, much-needed security features were added to this protocol, with the introduction of the DNS Security Extensions. DNSSEC adds authenticity and integrity to the protocol using digital signatures, and turns the DNS into a public key infrastructure (PKI). At the top of this PKI is a single key, the so-called Key Signing Key (KSK) for the DNS root. The current Root KSK was introduced in 2010, and has not changed since. This year, the Root KSK will be replaced for the first time ever. This event potentially has a major impact on the Internet. Thousands of DNS resolvers worldwide rely on this key to validate DNSSEC signatures, and must start using the new key, either through an automated process, or manual intervention. Failure to pick up the new key will result in resolvers becoming completely unavailable to end users. This work presents the “Root Canary”, a system to monitor and measure this event from the perspective of validating DNS resolvers for its entire nine-month duration. The system combines three active measurement platforms to have the broadest possible coverage of validating resolvers. Results will be presented in near real-time, to allow the global DNS community to act if problems arise. Furthermore, after the Root KSK rollover concludes in March 2018, we will use the recorded datasets for an in-depth analysis, from which the Internet community can draw lessons for future key rollovers.

KW - DNS

KW - DNSSEC

KW - Active measurements

KW - Internet stability

U2 - 10.1145/3123878.3131987

DO - 10.1145/3123878.3131987

M3 - Paper

SP - 63

EP - 64

ER -

van Rijswijk-Deij R, Chung T, Choffnes D, Mislove A, Toorop W. The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover. 2017. Paper presented at Annual Conference of the ACM Special Interest Group on Data Communication, ACM SIGCOMM 2017, Los Angeles, United States. https://doi.org/10.1145/3123878.3131987