[dns-operations] Enabling DNSSEC signing for pagerduty.com
Michael Sinatra
michael at brokendns.net
Tue Jun 6 23:42:34 UTC 2023
On 6/6/23 2:26 PM, Matt Nordhoff via dns-operations wrote:
> Hold on, did y'all skip a step?
>
> <https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-enable-signing.html>:
>
>> 2. Wait for at least the previous zone’s maximum TTL.
>>
>> Wait for resolvers to flush all unsigned records from their cache. To achieve this you should wait for at least the previous zone’s maximum TTL. In the example.com zone above, the wait time would be 1 day.
> I think the zone was signed and then the DS record was added within no
> more than about 2 hours?
>
> But the pagerduty.com./NS record set TTL is 172,000.
>
> But most or all other records have TTLs of no more than 300?
>
> It's probably fine but maybe not? Clients don't normally look up NS
> records, but I don't know if there are cases where a recursive
> resolver's internal logic could notice or care?
>
> [ABSOLUTELY DO NOT PANIC AND UNSIGN THE ZONE. YOU CAN PANIC AND DELETE
> THE DS RECORD BUT FOR THE LOVE OF GOD DO NOT UNSIGN THE ZONE.]
Most implementations have figured that out. For example, here's a BIND
resolver that has clearly had the old NS records cached for more than a
day, but you can see that it just recently picked up the RRSIG:
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: c44a7851f66125f401000000647fbc7a9d4deb808b32618e (good)
;; QUESTION SECTION:
;pagerduty.com. IN NS
;; ANSWER SECTION:
pagerduty.com. 75161 IN NS ns-474.awsdns-59.com.
pagerduty.com. 75161 IN NS ns-1285.awsdns-32.org.
pagerduty.com. 75161 IN NS ns-963.awsdns-56.net.
pagerduty.com. 75161 IN NS ns-1659.awsdns-15.co.uk.
pagerduty.com. 172785 IN RRSIG NS 13 2 172800 20230609000827
20230606220827 54499 pagerduty.com.
uuPtvUfpsyZaXgCL0PtnTJHCNliXmVdLXEIv02sMAB+Gv5ObkaQNRWJ3
S/lrMjIm8LQio3aoVYs3lY/WGIc6tw==
;; ADDITIONAL SECTION:
ns-474.awsdns-59.com. 75161 IN A 205.251.193.218
I was going to write a message to Andy saying the following:
"My summary feeling is that DNSSEC signing has gotten substantially
easier, partly because of robust automation built into signing
implementations (including F/OSS), and partly because the guidance** to
resolver implementers has been to make an effort to find a path toward
validation rather than bogusity." The re-fetching of RRSIGs in this
particular case is an example of that. (The other big example being the
infamous "conservative" algorithm rollover method, which is no longer
necessary.)
I have tried validating pagerduty.com on BIND (with old data)--see the
ad flag above, plus unbound, knot-resolver, and powerdns-resolver and
it's validating correctly on all of them. Nice job (so far, at least),
folks (note the $dayjob is a pagerduty customer).
michael
**I can't find a document example of such guidance other than hints from
RFC 6781, mostly in the context of alg rollovers. I am hoping marka can
chime in and correct any hallucinations I may be recounting here.
More information about the dns-operations
mailing list