[dns-operations] What's wrong with my domain?

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Wed Jul 2 20:54:05 UTC 2014

On 07/02/14 08:22, Warren Kumari wrote:
> On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch <dot at dotat.at> wrote:
>> Mohamed Lrhazi <ml623 at georgetown.edu> wrote:
>>> gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
>>> in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
>>> that after a while keys are rolled over and I need to do some work about
>>> it....
>> Surely it has an interlock to prevent a KSK rollover going ahead without a
>> DS change?!
> Obligatory pointer at document that *should* automate this, and so
> prevent bad KSK rolls (if deployed :-)):
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/
> Basically, when the signing tool rolls the key, it publishes the new
> key in the zone, the parent (registrar or registry) periodically
> scrapes the zone and then publishes the new DS.
> Currently with the RFC Editor.
> W
> (FD: author).

Hmmm, wonder if educause will implement this for us...and can it be done
without involving our business office.

Otherwise, wonder what I could do in my home grown automatation scripts to
check for new DS and somehow extend the rollover time automatically?

Though our next scheduled KSK rollover is a year away, and we have new F5's
that'll be going into service someday....where we purchased the better package
for, so I think having the GTM do DNSSEC would take concern of whether we can
satisfy expectations for instant DNS updates when I'm forced to move our
master nameserver from the 16 core physical server into a VM....

Last KSK rollover....I had a 31 day window....So, (Aug 1, 2012) I email the
new DS info to the person that manages our educause account.  And, they
finally put it in on Aug 31st....

Except that our key alg is 8 (RSASHA256).  And, they selected 7
(RSASHA1-NSEC3-SHA1) from the dropdown menu.  We're doing NSEC3.

At least I don't get flooded with tickets about us not resolving in various
parts of the world until I get after Labor Day. (the parts that do DNSSEC
validation and don't fallback to DLV)

Since things worked from home where my provider did this, but users on Comcast
were left in the dark....

Person that had done the update, had done it just before going on vacation for
a couple of weeks...but was able to fix it from remote....

>> Tony.
>> --
>> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
>> South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. Slight
>> or moderate. Rain for a time. Good, occasionally moderate.

Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

More information about the dns-operations mailing list