< 9.9 (handling more than 70% of DNS traffic) • Unbound < 1.6 • Bind DNSSEC validation config #/etc/named.conf [...] dnssec-validation yes; managed-keys-directory ”/var/named/dynamic”; [...] Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 4
1st October 2018) 1 1https://stats.labs.apnic.net/dnssec/BJ Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 7
handle by our resolvers (as of 1st October 2018) 2. 2https://stats.labs.apnic.net/dnssec/BJ Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 8
the new KSK will not be affected 3 . • Question: • Behavior of old (code base) Bind (< 9.9). • Handle majority of our network DNS traffic. 3https://www.icann.org/news/announcement-2018-08-22-en Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 11
production one but with recent version of Bind for Centos 7. • Could be promote to production level is couple of minute. • Actually use as resolver in the head quarter lan. • Usual monitoring • Server Monitoring: cpu, memory, load, etc. • DNS monitoring (application): cache hits/misses, cache size, failures, server results, status, etc. • KSK monitoring (Custom script) • Based on Getdns (python binding). • Use our resolvers to request A record for well-known domains. • Get DNSSEC validation status. • Get used KSK for the query by requesting validation chain. • Help to identify which of our resolver did not automatically roll to new KSK Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 12