Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS KSK Rollover: Isocel Status

DNS KSK Rollover: Isocel Status

This is a short overview of Isocel Telecom preparation for DNSSEC KSK roll. It has been presented during ICANN webinar on Root KSK Rollover

Alfred Arouna

October 02, 2018
Tweet

More Decks by Alfred Arouna

Other Decks in Technology

Transcript

  1. Overview 1. DNSSEC validation 2. Action Plan Reproduction or dissemination

    of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 2
  2. Environment (1/5) • Two families of validating resolver: • Bind

    < 9.9 (handling more than 70% of DNS traffic) • Unbound < 1.6 • Bind DNSSEC validation config #/etc/named.conf [...] dnssec-validation yes; managed-keys-directory ”/var/named/dynamic”; [...] Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 4
  3. Environment (2/5) • Available KSKs (Bind) #/var/named/dynamic/managed-keys.bind $ORIGIN . $TTL

    0 ; 0 seconds @ IN SOA . . ( 87422 ; serial [...] KEYDATA 20181002111448 20120728140912 19700101000000 257 3 8 ( → [...] ) ; key id = 19036 KEYDATA 20181002111448 20170811160311 19700101000000 257 3 8 ( → [...] ) ; key id = 20326 Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 5
  4. Environment (3/5) • Unbound DNSSEC validation config #/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf server: #

    The following line will configure unbound to perform cryptographic → # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: ”/var/lib/unbound/root.key” • Available KSKs (Unbound) #/var/lib/unbound/root.key [...] . 172800 IN DNSKEY 257 3 8 AwEAAa/b58Da+sqqls3eNbuv7... ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1502429112 ;;Fri Aug 11 06:25:12 2017 → . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzah... ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1464716824 ;;Tue May 31 18:47:04 2016 → Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 6
  5. Environment (4/5) 63% of DNSSEC validation in Benin (as of

    1st October 2018) 1 1https://stats.labs.apnic.net/dnssec/BJ Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 7
  6. Environment (5/5) 80% of DNSSEC validation in Isocel network is

    handle by our resolvers (as of 1st October 2018) 2. 2https://stats.labs.apnic.net/dnssec/BJ Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 8
  7. having successful dnssec validation from our resolvers is critical Reproduction

    or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 9
  8. Concerns • Users who rely on a resolver that has

    the new KSK will not be affected 3 . • Question: • Behavior of old (code base) Bind (< 9.9). • Handle majority of our network DNS traffic. 3https://www.icann.org/news/announcement-2018-08-22-en Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 11
  9. Plan • Hot Spare resolver • Same configs as the

    production one but with recent version of Bind for Centos 7. • Could be promote to production level is couple of minute. • Actually use as resolver in the head quarter lan. • Usual monitoring • Server Monitoring: cpu, memory, load, etc. • DNS monitoring (application): cache hits/misses, cache size, failures, server results, status, etc. • KSK monitoring (Custom script) • Based on Getdns (python binding). • Use our resolvers to request A record for well-known domains. • Get DNSSEC validation status. • Get used KSK for the query by requesting validation chain. • Help to identify which of our resolver did not automatically roll to new KSK Reproduction or dissemination of this document is strictly prohibited without authorization. ISOCEL SA. Copyright 2018. 12
  10. thanks questions Reproduction or dissemination of this document is strictly

    prohibited without authorization. ISOCEL SA. Copyright 2018. 13