Deliberately Invalidatable Root Zone
Posted: January 29th, 2010 | Author: LGForsberg | Filed under: Work | 2 Comments »A few days ago we saw something that has not happened before. One of the root-servers of the Internet was DNSSEC-enabled, signed, secured.. or was it? No, it was not really secured was it? Nope! BUT! The DNSSEC-enabled part of it is true, or at least a little bit of it.
One of the root-server instances, the L-root , had it’s copy of the root-zone signed. However, for now, the public key distributed is obviously broken and unusable (thanks Patrik!).
I for one think the DNSKEY record is cute!
IN DNSKEY 257 3 8 ( AwEAAa8Zp+++++THIS/IS/IN/AN/INVALID/ KEY/AND/CANNOT/BE/USED/FOR/VALIDATIO N/PLEASE/CONTACT/ROOTSIGN/AT/ICANN/D OT/ORG/FOR/MORE/INFORMATION+++++++++ ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++8= );
The “system” is called DURZ (Deliberately Invalidatable Root Zone) and the plan is to put it to use in all of the the root-server instances before moving on in the implementation of DNSSEC for the root-zone.
Why? Well, first and foremost DURZ is for testing purposes. While the signed root-zone is still not considered as “in production” it will prohibit the use of the root-zone as a trust anchor for validation. During this period of time testing will f.ex. give measures of how the signed root-zone (larger response size etc) affects whoever uses it.
The implementation of DURZ will span all of the root-server instances and is planned to be done in May this year. A schedule has been posted on the Root DNSSEC site. Do I think they will stick to it? Why of course not.. How fun would that be?
M: 2010-03-03 0400-0600
I: 2010-03-03 1500-1800
D: 2010-03-24 1400-1500
K: 2010-03-24 1500-1700
E: 2010-03-24 1800-2000
H: 2010-04-14 1400-1500
C: 2010-04-14 1500-1700
G: 2010-04-14 1700-1900
B: 2010-04-14 1900-2100
F: 2010-04-14 2100-0000
J: 2010-05-05 1700-1900
All times are in UTC.
When all the root-servers are serving the DURZ I expect that a period of statistics and measurements will commence, the goal being to pinpoint any side effects from the fact that the root-zone is signed, bloated and well, lets just call it pregnant with what may be the savior of DNS.
This sounds like a great start for a fantasy novel but all that is just the means to an end..
The implementation of DNSSEC for the root-zone has been a hot potato for the last two or ten years. It has been predicted to be the deliverance of DNSSEC, the single event that puts all the pieces in place. Will it be? Well, I say we just wait and see.
If you want to know more about the implementation of DNSSEC in the root-zone, head over to Root DNSSEC!
Regards,
LG
A correction here is needed. The root is currently signed with a fully valid key. It is the public key that is currently published as DURZ that is broken “beyond recognition”. The purpose of the DURZ is that you don’t want people to be able to use the key for any validation whatsoever until the DNSSEC in root is considered as being in production. When that happens, the valid key is of course being published in the zone.
Thanks Patrik!
I think my brain already halted while I wrote this last night. I made a “NoNo” and altered the post to better fit the truth.
Regards,
LG