research-article

Roll, Roll, Roll your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover

Authors:

Moritz Müller,

Matthew Thomas,

Taejoong Chung,

Roland van Rijswijk-DeijAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 1 - 14

https://doi.org/10.1145/3355369.3355570

Published: 21 October 2019 Publication History

Abstract

The DNS Security Extensions (DNSSEC) add authenticity and integrity to the naming system of the Internet. Resolvers that validate information in the DNS need to know the cryptographic public key used to sign the root zone of the DNS. Eight years after its introduction and one year after the originally scheduled date, this key was replaced by ICANN for the first time in October 2018. ICANN considered this event, called a rollover, "an overwhelming success" and during the rollover they detected "no significant outages".

In this paper, we independently follow the process of the rollover starting from the events that led to its postponement in 2017 until the removal of the old key in 2019. We collected data from multiple vantage points in the DNS ecosystem for the entire duration of the rollover process. Using this data, we study key events of the rollover. These events include telemetry signals that led to the rollover being postponed, a near real-time view of the actual rollover in resolvers and a significant increase in queries to the root of the DNS once the old key was revoked. Our analysis contributes significantly to identifying the causes of challenges observed during the rollover. We show that while from an end-user perspective, the roll indeed passed without major problems, there are many opportunities for improvement and important lessons to be learned from events that occurred over the entire duration of the rollover. Based on these lessons, we propose improvements to the process for future rollovers.

References

[1]

IANA. DNSSEC Practice Statement for the Root Zone KSK Operator. https://www.iana.org/dnssec/dps/ksk-operator/ksk-dps.txt, 2016.

[2]

KSK Rollover Design Team. Root Zone KSK Rollover Plan. https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf, 04 2016.

[3]

D. Wessels, W. Kumari, and P. Hoffman. Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC). RFC 8145 (Proposed Standard), April 2017. Updated by RFC 8553.

[4]

ICANN. KSK Rollover Postponed. https://www.icann.org/news/announcement-2017-09-27-en, 2017.

[5]

ICANN Board. Board Approval of KSK Roll. https://www.icann.org/resources/press-material/release-2018-09-18-en, 2018.

[6]

ICANN. Review of the 2018 DNSSEC KSK Rollover. https://www.icann.org/en/system/files/files/review-2018-dnssec-ksk-rollover-04mar19-en.pdf, 03 2019.

[7]

Ramaswamy Chandramouli and Scott Rose. Secure Domain Name System (DNS) Deployment Guide. NIST Special Publication, 800, September 2006.

[8]

Verisign DNSSEC PMA. DNSSEC Practice Statement for the Root Zone ZSK Operator. https://www.iana.org/dnssec/dps/zsk-operator/dps-zsk-operator-v2.0.pdf, 2017.

[9]

NTIA. NTIA Announces Intent to Transition Key Internet Domain Name Functions. https://www.ntia.doc.gov/press-release/2014/ntia-announces-intent-transition-key-internet-domain-name-functions, 2014.

[10]

ICANN. Operational Plans for the Root KSK Rollover. https://www.icann.org/resources/pages/ksk-rollover-operational-plans, 2016-2018.

[11]

Gijs Van Den Broek, Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC Meets Real World: Dealing with Unreachabilitty Caused by Fragmentation. IEEE Communications Magazine, 52(4):154--160, 6 2014.

[12]

Christian Kreibich, Nicholas Weaver, Boris Nechaev, and Vern Paxson. Netalyzr: Illuminating the Edge Network. In Proceedings of ACM IMC 2010, pages 246--259. ACM, 2010.

[13]

M. StJohns. Automated Updates of DNS Security (DNSSEC) Trust Anchors. RFC 5011 (Internet Standard), September 2007.

[14]

J. Abley, J. Schlyter, G. Bailey, and P. Hoffman. DNSSEC Trust Anchor Publication for the Root Zone. RFC 7958 (Informational), August 2016.

[15]

NLnet Labs. Man-Page: Unbound Anchor. https://www.nlnetlabs.nl/documentation/unbound/unbound-anchor/.

[16]

Moritz Müller, Matthew Thomas, Duane Wessels, Wes Hardaker, Taejoong Chung, Willem Toorop, and Roland van Rijswijk-Deij. Roll Roll Roll Your Root: Accompanying Data Sets. https://github.com/SIDN/RollRollRollYourRoot.

[17]

Internet Assigned Numbers Authority (IANA). Root Servers. https://www.iana.org/domains/root/servers.

[18]

DNS Operations and Analysis Center (DNS-OARC). Day-in-the-Life Datasets. https://www.dns-oarc.net/oarc/data/ditl.

[19]

Sebastian Castro, Duane Wessels, Marina Fomenkov, and Kimberly Claffy. A Day at the Root of the Internet. ACM SIGCOMM Computer Communication Review, 38(5):41--46, 2008.

Digital Library

[20]

ICANN. Root Server System Advisory Committee. https://www.icann.org/groups/rssac.

[21]

RSSAC Caucus. RSSAC002 version 3 -- RSSAC Advisory on Measurements of the Root Server System, Jun 2016.

[22]

RSSAC. RSSAC002 Datasets. https://github.com/rssac-caucus/RSSAC002-data.

[23]

Roland van Rijswijk-Deij, Taejoong Chung, David Choffnes, Alan Mislove, and Willem Toorop. The Root Canary: Monitoring and Measuring the DNSSEC Root Key Rollover. In Proceedings of the 2017 SIGCOMM Posters and Demos, Part of ACM SIGCOMM 2017, Los Angeles, CA, USA, 2017. ACM Press.

[24]

RIPE NCC Staff. RIPE Atlas: A Global Internet Measurement Network. Internet Protocol Journal (IPJ), 18(3), Sep 2015.

[25]

G. Huston, J. Damas, and W. Kumari. A Root Key Trust Anchor Sentinel for DNSSEC. RFC 8509 (Proposed Standard), December 2018.

[26]

Luminati IO. Residential IP and Proxy Service for Businesses. https://luminati.io/, May 2018.

[27]

Taejoong Chung, David Choffnes, and Alan Mislove. Tunneling for Transparency: A Large-Scale Analysis of End-to-End Violations in the Internet. In Proceedings of ACM IMC 2016, 2016.

[28]

Taejoong Chung, Roland van Rijswijk-Deij, Balakrishnan Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. A Longitudinal, End-to-End View of the DNSSEC Ecosystem. In Proceedings of USENIX Security 2017, 2017.

[29]

Luminati. Luminati End User License Agreement. https://luminati.io/license.

[30]

NLnet Labs. Unbound DNS Resolver. https://www.unbound.net/.

[31]

ICANN. 2018 KSK Rollover Operational Implementation Plan. https://www.icann.org/en/system/files/files/2018-ksk-roll-operational-implementation-plan.pdf, 04 2018.

[32]

ICANN, Office of the CTO. Staff Report of Public Comment Proceeding. https://www.icann.org/en/system/files/files/report-comments-ksk-rollover-restart-23apr18-en.pdf, 04 2018.

[33]

NLnet Labs. Man-Page: unbound.conf. https://nlnetlabs.nl/documentation/unbound/unbound.conf/.

[34]

Ólafur Guðmundsson. DNSKEY cache purge. Comment at the mic during DNS-OARC 29 meeting in Amsterdam, https://www.youtube.com/watch?v=yT51FwPG0jE&t=6782, Oct 2018.

[35]

Not Disclosed. European ISP flushing DNSKEY from cache before the rollover. Private correspondence, Oct 2018.

[36]

Wouter B De Vries, Roland Van Rijswijk-Deij, Pieter-Tjerk de Boer, and Aiko Pras. Passive Observations of a Large DNS Service: 2.5 Years in the Life of Google. In 2018 Network Traffic Measurement and Analysis Conference (TMA), pages 1--8. IEEE, 2018.

[37]

Stephen Murphy. 'Significant percentage' of Eir customers affected by broadband outage. https://www.rte.ie/news/2018/1013/1002966-eir-outage/, October 2018.

[38]

Geoff Houston. Roll Over and Die? http://www.potaroo.net/ispcol/2010-02/rollover.html, February 2010.

[39]

Geoff Houston. Measuring the Root Zone KSK Trust. https://blog.apnic.net/2018/04/11/measuring-the-root-zone-ksk-trust/, April 2018.

[40]

Wes Hardaker. Configurations and Scripts to Test BIND Behavior in the Absence of a Valid Trust Anchor. https://github.com/hardaker/isc-bind-dnskey-bug-test.

[41]

Geoff Huston. APNIC Blog: Analyzing the KSK Roll. https://labs.apnic.net/?p=1181, 10 2018.

[42]

Peter B Danzig, Katia Obraczka, and Anant Kumar. An Analysis of Wide-Area Name Server Traffic. In Proceedings of ACM SIGCOMM 1992, pages 281--292, Baltimore, MD, USA, 1992. ACM Press.

[43]

P.V. Mockapetris. Domain names - concepts and facilities. RFC 1034 (Internet Standard), November 1987.

[44]

N. Brownlee, K.C. Claffy, and E. Nemeth. DNS Measurements at a Root Server. In Proceedings of IEEE GLOBECOM 2001, volume 3, pages 1672--1676, San Antonio, TX, USA, 2001. IEEE Computer Society.

[45]

Duane Wessels and Marina Fomenkov. Wow, That's a lot of packets. In Proceedings of the Passive and Active Network Measurement Workshop (PAM 2003), San Diego, CA, Apr 2003. PAM.

[46]

M Lentz, D Levin, J Castonguay, N Spring, and B Bhattacharjee. D-mystifying the D-root Address Change. In Proceedings of ACM SIGCOMM 2013, pages 57--62, Barcelona, Spain, 2013. ACM Press.

[47]

Duane Wessels, Jason Castonguay, and Piet Barber. Thirteen Years of "Old J-Root". In DNS-OARC 24, Montréal, Canada, 2015.

[48]

Bernhard Ager, Holger Dreger, and Anja Feldmann. Predicting the DNSSEC Overhead Using DNS Traces. In Proceedings of the 40th annual IEEE Conference on Information Sciences and Systems, CISS 2006, pages 1484--1489, Princeton, NJ, USA, 2007. IEEE Comput. Soc.

[49]

Wouter C A Wijngaards and Benno J. Overeinder. Securing DNS: Extending DNS Servers with a DNSSEC Validator. IEEE Security and Privacy, 7(5):36--43, 2009.

Digital Library

[50]

Daniel Migault, Cédric Girard, and Maryline Laurent. A Performance View on DNSSEC Migration. In Proceedings of the 6th International Conference on Network and Service Management (CNSM 2010), pages 469--474, Niagara Falls, Canada, 2010. IFIP.

[51]

R. Van Rijswijk-Deij, K. Hageman, A. Sperotto, and A. Pras. The Performance Impact of Elliptic Curve Cryptography on DNSSEC Validation. IEEE/ACM Transactions on Networking, PP(99), 2016.

[52]

Amir Herzberg and Haya Shulman. Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org. In 2013 IEEE Conference on Communications and Network Security, CNS 2013, pages 224--232, 2013.

[53]

Hao Yang, Eric Osterweil, Dan Massey, Songwu Lu, and Lixia Zhang. Deploying Cryptography in Internet-Scale Systems: A Case Study on DNSSEC. IEEE Transactions on Dependable and Secure Computing, 8(5):656--669, 2011.

Digital Library

[54]

Warren "Ace" Kumari, Evan Hunt, Roy Arends, Wes Hardaker, and David C Lawrence. Extended DNS Errors. Internet-Draft draft-ietf-dnsop-extended-error-05, Internet Engineering Task Force, March 2019. Work in Progress.

[55]

Various Authors. KSK Rollover Mailing List Archive, March 2019. https://mm.icann.org/pipermail/kskA-rollover/2019-March/thread.html.

[56]

Mark Allman, Robert Beverly, and Brian Trammell. Principles for Measurabilitty in Protocol Design. ACM SIGCOMM Computer Communication Review, 47(2):2--12, 2017.

Digital Library

Cited By

Sağlam MKirçova I(2025)The Role of Artificial Intelligence in Ad Fraud Detection in the Blockchain and Programmatic Advertising EcosystemAvoiding Ad Fraud and Supporting Brand Safety10.4018/979-8-3693-7041-4.ch003(43-82)Online publication date: 10-Jan-2025
https://doi.org/10.4018/979-8-3693-7041-4.ch003
Steurer FWagner DLachos DFeldmann AFiebig TVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Roots Go Deep: Measuring '.' Under ChangeProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689008(441-453)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689008
Mueller MHäckel TMeyer PKorf FSchmidt T(2023)Authenticated and Secure Automotive Service Discovery with DNSSEC and DANE2023 IEEE Vehicular Networking Conference (VNC)10.1109/VNC57357.2023.10136332(231-238)Online publication date: 26-Apr-2023
https://doi.org/10.1109/VNC57357.2023.10136332
Show More Cited By

Recommendations

Enhancement of SUV Roll Dynamics Using Fuzzy Logic Control
ICI '11: Proceedings of the 2011 First International Conference on Informatics and Computational Intelligence

This paper presents the development of roll control using feed forward fuzzy control for improvement of vehicle roll dynamics. The mathematical equations of the full car vehicle model were derived and the Matlab/SIMULINK model was developed. The tire ...
Integrating INS Sensors With GPS Measurements for Continuous Estimation of Vehicle Sideslip, Roll, and Tire Cornering Stiffness

This paper details a unique method for estimating key vehicle states-body sideslip angle, tire sideslip angle, and vehicle attitude-using Global Positioning System (GPS) measurements in conjunction with other sensors. A method is presented for ...
Development of an automatically deployable roll over protective structure for agricultural tractors based on hydraulic power

HydraROPS can be installed on tractors equipped with certified ROPS.The deployment time of HydraROPS is 0.743s.After a rollover situation the system sends GPS coordinates to emergency call centre.The cost to install HydraROPS in a marketable tractor ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,014
Total Downloads

Downloads (Last 12 months)41
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sağlam MKirçova I(2025)The Role of Artificial Intelligence in Ad Fraud Detection in the Blockchain and Programmatic Advertising EcosystemAvoiding Ad Fraud and Supporting Brand Safety10.4018/979-8-3693-7041-4.ch003(43-82)Online publication date: 10-Jan-2025
https://doi.org/10.4018/979-8-3693-7041-4.ch003
Steurer FWagner DLachos DFeldmann AFiebig TVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Roots Go Deep: Measuring '.' Under ChangeProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689008(441-453)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689008
Mueller MHäckel TMeyer PKorf FSchmidt T(2023)Authenticated and Secure Automotive Service Discovery with DNSSEC and DANE2023 IEEE Vehicular Networking Conference (VNC)10.1109/VNC57357.2023.10136332(231-238)Online publication date: 26-Apr-2023
https://doi.org/10.1109/VNC57357.2023.10136332
Osterweil EFotouhi Tehrani PSchmidt TWahlisch M(2022)From the Beginning: Key Transitions in the First 15 Years of DNSSECIEEE Transactions on Network and Service Management10.1109/TNSM.2022.319540619:4(5265-5283)Online publication date: Dec-2022
https://doi.org/10.1109/TNSM.2022.3195406
van der Toorn OMüller MDickinson SHesselman CSperotto Avan Rijswijk-Deij R(2022)Addressing the challenges of modern DNS a comprehensive tutorialComputer Science Review10.1016/j.cosrev.2022.10046945(100469)Online publication date: Aug-2022
https://doi.org/10.1016/j.cosrev.2022.100469
Bartoli A(2021)Robustness analysis of DNS paths and web access paths in public administration websitesComputer Communications10.1016/j.comcom.2021.09.017Online publication date: Sep-2021
https://doi.org/10.1016/j.comcom.2021.09.017
Müller Mde Jong Jvan Heesch MOvereinder Bvan Rijswijk-Deij R(2020)Retrofitting post-quantum cryptography in internet protocolsACM SIGCOMM Computer Communication Review10.1145/3431832.343183850:4(49-57)Online publication date: 26-Oct-2020
https://dl.acm.org/doi/10.1145/3431832.3431838
Müller MToorop WChung TJansen Jvan Rijswijk-Deij R(2020)The Reality of Algorithm AgilityProceedings of the ACM Internet Measurement Conference10.1145/3419394.3423638(295-308)Online publication date: 27-Oct-2020
https://dl.acm.org/doi/10.1145/3419394.3423638

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten