[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Nov 1 16:18:42 UTC 2023 

On Wed, Nov 01, 2023 at 04:49:01PM +0100, Mark Andrews wrote:

> It shouldn’t take any time as the bogus records shouldn’t have been cached.
> 

Right, unlike mismatched parent-side DS RRs, RRSIG expiration heals
fairly promptly once the zone is resigned at the origin.

I am repeatedly surprised when I hear of operators finding out about
RRSIG expiration after the fact from 3rd parties.

Somehow the reflexive knowlege that DNS monitoring means not only:

    - Is it still working at this very moment

but also:

    - Is it about to stop working if nothing is done soon

appears to not have become an ingrained part of the operator culture.

    * What can we as a community do to get the message out?
    * What tooling improvements could make this easier for operators?

Specifically, in the case of signed zones, monitoring MUST also include
regular checks of the remaining expiration time of at least the core
zone apex records (DNSKEY, SOA and NS), and ideally the whole zone, both
on the primary server and the secondaries.

There needs to be a minimum acceptable remaining RRSIG time that's some
reasonable fraction of the total RRSIG lifetime, which if crossed leaves
enough time for the responsible operator to react and rectify any
issues.  My tiny zones are monitored to not go below ~π days of
remaining RRSIG validity. :-)

    ldns-verify-zone -e P0Y0M3DT3H23M54S -V1 ...

[ Of course that minimum time needs to be less than the threshold at which
  extant records are normally resigned. ]

Should authoritative resolvers have knobs to perform internal checks on
the signed zones they serve and at least syslog loud warnings?

If there were some protocol to get a message into a monitoring system,
that would be even better...

Ideally, if operators cannot or do not on their own implement the
requisite monitoring, is it possible to make it easy enough for them to
do, and is sufficiently prominently documented or otherwise becomes well
known, that they start doing it?

"Unmonitored critical service", especially when it involves security,
should be an oxymoron.

-- 
    Viktor.

More information about the dns-operations mailing list