[GTER] Root KSK Rollover - Lembrete Servidores Recursivos
Frederico A C Neves
fneves at registro.br
Fri Jul 21 16:52:20 -03 2017
Pessoal,
Somente um lembrete sobre o Rollover da KSK da raiz. No último dia
11/7 a nova chave foi incluída no keyset. Quem tem seus servidores DNS
recursivos efetuando validação DNSSEC, e já tinha ou seguiu a
recomendação da minha apresentação, já deve ter arquivos com os trust
anchors como os exemplos abaixo.
Podem notar que tanto Bind quanto Unbound já observaram a nova chave
(kid 20326) e a colocaram em ADDPEND (ADDPEND no Unbound e trust
pending no Bind). O período de espera (Add Hold-Down Time) é de 30
dias. Ao redor do dia 10/8 este estado deve ser promovido para VALID e
a nova chave estará pronta para o rollover no dia 11/10.
Resumindo, quem já fez o recomendado basta se certificar que depois do
dia 14/8 a nova chave foi promovida para o estado válido (VALID no
Unbound e trusted since no Bind). Quem ainda não fez o recomendado, ou
tiver problemas, ainda teremos aproximadamente 60 dias após este
período de aceitação da nova chave para ajustar as configurações.
É importante salientar que servidores DNS recursivos que estão
efetuando validação DNSSEC e não tiverem as chaves da raiz
adequadamente configuradas, a partir de 11/10, vão causar
indisponibilidade para seus usuários.
Abaixo referências para a apresentação no GTER 42. Caso alguém tenha
dúvidas estamos a disposição.
[]s
Fred
ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf
https://www.youtube.com/watch?v=amolBhDr3zQ
# Unbound
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1500595980 ;;Thu Jul 20 21:13:00 2017
;;last_success: 1500595980 ;;Thu Jul 20 21:13:00 2017
;;next_probe_time: 1500638372 ;;Fri Jul 21 08:59:32 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=1499975057 ;;Thu Jul 13 16:44:17 2017
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1443881271 ;;Sat Oct 3 11:07:51 2015
# Bind
# managed keys file
$ORIGIN .
$TTL 0 ; 0 seconds
@ IN SOA . . (
102937 ; serial
0 ; refresh (0 seconds)
0 ; retry (0 seconds)
0 ; expire (0 seconds)
0 ; minimum (0 seconds)
)
KEYDATA 20170722181421 20110906172836 19700101000000 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; KSK; alg = RSASHA256; key id = 19036
; next refresh: Sat, 22 Jul 2017 18:14:21 GMT
; trusted since: Tue, 06 Sep 2011 17:28:36 GMT
KEYDATA 20170722181421 20170810184824 19700101000000 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256; key id = 20326
; next refresh: Sat, 22 Jul 2017 18:14:21 GMT
; trust pending: Thu, 10 Aug 2017 18:48:24 GMT
% dig @f.root-servers.net . dnskey +dnssec +m
; <<>> DiG 9.9.9-P4 <<>> @f.root-servers.net . dnskey +dnssec +m
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10401
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN DNSKEY
;; ANSWER SECTION:
. 172800 IN DNSKEY 257 3 8 (
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
) ; KSK; alg = RSASHA256 ; key id = 20326
. 172800 IN DNSKEY 256 3 8 (
AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl
p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi
TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk
3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq
yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH
uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3
+pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA
jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=
) ; ZSK; alg = RSASHA256 ; key id = 15768
. 172800 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; KSK; alg = RSASHA256 ; key id = 19036
. 172800 IN RRSIG DNSKEY 8 0 172800 (
20170811000000 20170721000000 19036 .
kp0zHRYVgEY1Ki1usB2wm5VCVG+DkpANei5yEGsiHSUI
gpBsLHMCtzz3ztmmgPIJmcJZyq49ZcMg02MpZ2EHwIgq
xqzyb3rX7KYwWHowjmdZz8c0hSIN99c6tVwfiTHstLbS
/6ya1FF1r4J6h2LZh+SeetZHw32Af1AP4DjGUEwufS2W
KQOxp0IGpM9dITuZuuGFK+gB8t2CQniDJ90FUrmltWjf
L7tYGfUcRNPMlIVgO4gLtRlV1ysm+iHAptF9zrWUjUex
2lDvOKt+O40AyzSWaeiFJCPhrtOT0tt4i8h7PjlBm+Wm
kO0ZLn0rJasJnE4ww6o8zcxGubyJrCMHjA== )
;; Query time: 0 msec
;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
;; WHEN: Fri Jul 21 16:37:27 BRT 2017
;; MSG SIZE rcvd: 1139
More information about the gter
mailing list