[GTER] DNSSEC Root KSK Rollover - faltam 30 dias

Frederico A C Neves fneves at registro.br
Tue Sep 12 11:11:13 -03 2017


Jonni,

On Tue, Sep 12, 2017 at 09:33:35AM -0300, Jonni Pianezzer wrote:
> Alguem poderia fazer um tutorial de como atualizar isso, no unbound, 
> bind, enfim,

Está na apresentação slides 10 e 11, são adicões simples a
configuração do serviço.

ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf

**Unbound
server:
 auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

**Bind
options {
 dnssec-validation auto;
};

No último slide também existem as referências para os dois casos.

https://www.unbound.net/documentation/howto_anchor.html
https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#managed-keys

Como agora já faltam menos que os 30 dias necessários para que a 5011
funcione adequadamente sugiro popular os arquivos referenciados nas
configurações com os dados abaixo.

% cat /usr/local/unbound/etc/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1505186999 ;;Tue Sep 12 00:29:59 2017
;;last_success: 1505186999 ;;Tue Sep 12 00:29:59 2017
;;next_probe_time: 1505229550 ;;Tue Sep 12 12:19:10 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1500667831 ;;Fri Jul 21 17:10:31 2017
.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1503296928 ;;Mon Aug 21 03:28:48 2017

% cat /var/named/etc/managed-keys.bind
$ORIGIN .
$TTL 0	; 0 seconds
@			IN SOA	. . (
				105473     ; serial
				0          ; refresh (0 seconds)
				0          ; retry (0 seconds)
				0          ; expire (0 seconds)
				0          ; minimum (0 seconds)
				)
			KEYDATA	20170913134512 20110906172836 19700101000000 257 3 8 (
				AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
				bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
				/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
				JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
				oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
				LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
				Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
				LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
				) ; KSK; alg = RSASHA256; key id = 19036
				; next refresh: Wed, 13 Sep 2017 13:45:12 GMT
				; trusted since: Tue, 06 Sep 2011 17:28:36 GMT
			KEYDATA	20170913134512 20170811181600 19700101000000 257 3 8 (
				AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
				iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
				7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
				LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
				efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
				pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
				A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
				9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
				) ; KSK; alg = RSASHA256; key id = 20326
				; next refresh: Wed, 13 Sep 2017 13:45:12 GMT
				; trusted since: Fri, 11 Aug 2017 18:16:00 GMT


Estas chaves podem ser verificadas diretamente em consultas ao
servidores da raiz ou pelo procedimento descrito na RFC7958.

% dig @f.root-servers.net . dnskey +multi +short | grep 257
257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=

> seria importante para a Internet

[]s
Fred

> Em 11/09/2017 18:54, Frederico A C Neves escreveu:
> > Pessoal,
> >
> > Mais um lembrete, em 30 dias (2017-10-11 16:00 UTC) teremos o rollover
> > da chave KSK da raiz.
> >
> > Se você opera servidores DNS recursivo este evento pode impactar sua
> > operação. Certifique-se de tomar as providências listadas na
> > referência abaixo.
> >
> > Em caso de dúvidas estamos a disposição.
> >
> > []s
> > Fred
> >
> > https://eng.registro.br/pipermail/gter/2017-July/070560.html
> > --
> > gter list    https://eng.registro.br/mailman/listinfo/gter
> >
> 
> 
> ---
> Este email foi escaneado pelo Avast antivírus.
> https://www.avast.com/antivirus
> 
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter



More information about the gter mailing list