[dns-operations] Entering DNSSEC waters

Franck Martin fmartin at linkedin.com
Fri Jan 23 07:00:41 UTC 2015


On Jan 22, 2015, at 4:18 PM, Doug Barton <dougb at dougbarton.us> wrote:

> On 1/22/15 11:21 AM, Stephen Johnson (DIS) wrote:
>> I'm about to put my toes into the DNSS waters before something forces be
>> to dive in head first. I've been researching and doing to tentative
>> planning as to how to implement DNSSEC for our DNS zones.
>> 
>> I've got a good handle on how we'll doing out key handling and keys
>> rotations (from RFC6781). What I'm currently lacking is a roll out and
>> testing plan for the live zones. I've read about the DNSSEC roll outs
>> that have been discussed on the list.
>> 
>> What I'm asking for is advice and possibly copies of roll out and
>> testing planes other have used. From those I'll cobble together a roll
>> plan for our zones.
> 
> How wet are your toes? :)
> 
> If you haven't already, start with validation. It's easy to enable, and you can do it with next to no impact on your existing stuff (assuming you have some overhead built into your existing resolver infrastructure.
> 
> Rollout and testing are the same as they would be for any other major DNS change. Do you have internal-only zones? Create a new one just for testing, and put your new validators through their paces. (You'll need trust anchors configured for those internal zones on your validating resolvers.) Then maybe go on to some other, mission critical zones.
> 
> Then move on to a few inconsequential external zones (e.g., zones you have parked for trademark protection purposes). You can test them from the inside with your validating resolvers, and then you'll want to confirm from the outside as well. (Google's public DNS is validating, FYI.)
> 
agreed to all the above… start by the resolvers first.

I have also noticed, if you don’t put DS records in the parent zone, then you can DNSSEC enable your zone, check the records are properly signed, etc… but because the glue is missing, then your zone is not “secured”. It means the resolver won’t care if the signatures are valid or not (unless you load the DS keys in your resolvers).

So check that your software roll out the keys correctly a couple of times, before you add the DS in the parent zone

this sounds like a correct very controlled roll out:
http://www.auda.org.au/industry-information/au-domains/dnssec/

This is a neat tool to check everything: http://dnsviz.net/d/edu.au/dnssec/

and http://verteiltesysteme.net/ allows you to check your resolver is working correctly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150123/efee1b60/attachment.sig>


More information about the dns-operations mailing list