ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DNSSEC

2010-09-01 11:27:27
from [Phillip Hallam-Baker] [Permanent Link] 
Or it is a matter of the readers of this list perhaps recognizing a
business opportunity and helping the 98% of net users who are less
technically sophisticated in a variety of ways...


Understanding what a DNS TTL is means that a Web site operator has
distinctly above average skill.


On Tue, Aug 31, 2010 at 9:05 PM, Mark Andrews <marka(_at_)isc(_dot_)org> wrote:


In message 
<AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v(_at_)mail(_dot_)gmail(_dot_)com>,
 Phil
lip Hallam-Baker writes:

Whether or not the IAB zone is signed is of negligible consequence.

But the fact that the IAB zone signatures had expired is a highly
significant data point: DNSSEC administration is not quite as easy as
some of the glib claims of its more enthusiastic supporters would lead
one to believe.


It's more a matter of choosing the right tools.  I've got signed
zones that haven't been hand signed in 3 years using a 2 month
signature validity interval.  The nameserver just re-signs the
records as they fall due.  That's several thousand automatic updates
of the zones in that period.  Yes, I've changed the non DNSSEC
content of the zones in that time.

This isn't a protocol issue.  It's a tools issue and DNSSEC tools
from all vendors are improving.

It's also extremely easy to construct tools that can warn you to
re-sign if you are doing it by hand.  You could replace awk with
perl and have a cross platform tool.  Such tools can easily be
added to network management platforms as they are just small
scripts.  If you don't have a network managment platform use
cron.

e.g.

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { 
print }' WARN=`date -u -v +7d +%Y%m%d%H%M%S`
%

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { 
print }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
bind9-test-8.dv.isc.org. 86400  IN      RRSIG   NSEC 5 4 86400 20100929190221 
20100731184853 14436 dv.isc.org. 
2jHCGeJqH23dO0RV48Uqqp2hXIl1wp3kIslqmdz686uaCNz3WZZUhKzX 
EH+8iKc6QQWMZhFzhJoqruiTO6RyIA==
BRNEE8E63.dv.isc.org.   1800    IN      RRSIG   A 5 4 1800 20100929190221 
20100731184853 14436 dv.isc.org. 
ZhD6uAbGQYDWJ6rob9iyvRNWZ7Tod1as4WEtPV8C+mLF8aJbakwp/76/ 
f7r7jz/fQOtIMQ/NjXBRT7O4507gIA==
BRNEE8E63.dv.isc.org.   1800    IN      RRSIG   TXT 5 4 1800 20100929190221 
20100731184853 14436 dv.isc.org. 
Xl3nk8lf2exwGGy2iI2BxVjXO3emvI+8GRmkj+vi7n8rddmP6oJRqPGZ 
wmNoZVxMN9XMTghly6w6Cmj8aNAILQ==
BRNEE8E63.dv.isc.org.   86400   IN      RRSIG   NSEC 5 4 86400 20100929190221 
20100731184853 14436 dv.isc.org. 
JUR1M8GmlFFYF73v6oh+bdwYuKK0YBMe7b4mDsMBs1bdBqHB52KUZ8eS 
KNCRD3GTp8VzwxB1TGmuIq+dGr57lQ==
%

With a minor change it will print out just the zone.

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { 
print "WARNING:", $12, "needs re-signing" ; exit }' WARN=`date -u -v +1m 
+%Y%m%d%H%M%S`
WARNING: dv.isc.org. needs re-signing
%

Wrap it is a while loop and you can do all your zones.  The getline
is so we don't generate error messages in the nameserver logs by
causing the axfr to be aborted.

#!/bin/sh -f
WARN=`date -u -v +7d +%Y%m%d%H%M%S`
while read zone server
do
       dig axfr "$zone" "@$server" | \
       awk '$4 == "RRSIG" && $9 < WARN
           { print "WARNING:", $12, "needs re-signing."; while (getline) ; }' 
\
               WARN=$WARN
done

Mark


On Tue, Aug 31, 2010 at 10:36 AM, Glen Barney (AMS) 
<glen(_at_)amsl(_dot_)com> wrote:

Community -

The DNS zone files have been re-signed, and we will look into alternative=

s to

the original DNSSEC tools that were in use (which seem to be broken.)

And just a reminder that, while posting complaints to this list might feel
more therapeutic, the secretariat has an address set up for trouble repor=

ts,

which is ietf-action(_at_)ietf(_dot_)org . =A0Sending complaints to that 
address will
generally get much faster results.

Thank you!

Glen
Glen Barney
IT Director
AMS (IETF Secretariat)

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf





-- =

Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org





-- 
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: DNSSEC, Phillip Hallam-Baker <=
Previous by Date:  Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06, Ben Campbell
Next by Date:  Re: secdir review of draft-ietf-simple-msrp-sessmatch, Ted Hardie
Previous by Thread:  Gen-ART LC Review of draft-ietf-nsis-nslp-auth-06, Ben Campbell
Next by Thread:  Re: secdir review of draft-ietf-simple-msrp-sessmatch, Ted Hardie
Indexes:  [Date] [Thread] [Top] [All Lists]