[GTER] DNSSEC Root KSK Rollover - faltam 30 dias

Jonni Pianezzer jhonnyp at deltaativa.com.br
Tue Sep 12 11:14:41 -03 2017 

Muito bom, vou fazer, acho muito importante essa noticia ser propagada a 
todos mesmo,

att

JhonnyP


Em 12/09/2017 11:11, Frederico A C Neves escreveu:
> Jonni,
>
> On Tue, Sep 12, 2017 at 09:33:35AM -0300, Jonni Pianezzer wrote:
>> Alguem poderia fazer um tutorial de como atualizar isso, no unbound,
>> bind, enfim,
> Está na apresentação slides 10 e 11, são adicões simples a
> configuração do serviço.
>
> ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf
>
> **Unbound
> server:
>   auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
>
> **Bind
> options {
>   dnssec-validation auto;
> };
>
> No último slide também existem as referências para os dois casos.
>
> https://www.unbound.net/documentation/howto_anchor.html
> https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.html#managed-keys
>
> Como agora já faltam menos que os 30 dias necessários para que a 5011
> funcione adequadamente sugiro popular os arquivos referenciados nas
> configurações com os dados abaixo.
>
> % cat /usr/local/unbound/etc/unbound/root.key
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1505186999 ;;Tue Sep 12 00:29:59 2017
> ;;last_success: 1505186999 ;;Tue Sep 12 00:29:59 2017
> ;;next_probe_time: 1505229550 ;;Tue Sep 12 12:19:10 2017
> ;;query_failed: 0
> ;;query_interval: 43200
> ;;retry_time: 8640
> .	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1500667831 ;;Fri Jul 21 17:10:31 2017
> .	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1503296928 ;;Mon Aug 21 03:28:48 2017
>
> % cat /var/named/etc/managed-keys.bind
> $ORIGIN .
> $TTL 0	; 0 seconds
> @			IN SOA	. . (
> 				105473     ; serial
> 				0          ; refresh (0 seconds)
> 				0          ; retry (0 seconds)
> 				0          ; expire (0 seconds)
> 				0          ; minimum (0 seconds)
> 				)
> 			KEYDATA	20170913134512 20110906172836 19700101000000 257 3 8 (
> 				AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
> 				bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
> 				/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
> 				JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
> 				oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
> 				LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
> 				Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
> 				LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> 				) ; KSK; alg = RSASHA256; key id = 19036
> 				; next refresh: Wed, 13 Sep 2017 13:45:12 GMT
> 				; trusted since: Tue, 06 Sep 2011 17:28:36 GMT
> 			KEYDATA	20170913134512 20170811181600 19700101000000 257 3 8 (
> 				AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
> 				iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
> 				7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
> 				LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
> 				efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
> 				pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
> 				A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
> 				9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> 				) ; KSK; alg = RSASHA256; key id = 20326
> 				; next refresh: Wed, 13 Sep 2017 13:45:12 GMT
> 				; trusted since: Fri, 11 Aug 2017 18:16:00 GMT
>
>
> Estas chaves podem ser verificadas diretamente em consultas ao
> servidores da raiz ou pelo procedimento descrito na RFC7958.
>
> % dig @f.root-servers.net . dnskey +multi +short | grep 257
> 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
> 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
>
>> seria importante para a Internet
> []s
> Fred
>
>> Em 11/09/2017 18:54, Frederico A C Neves escreveu:
>>> Pessoal,
>>>
>>> Mais um lembrete, em 30 dias (2017-10-11 16:00 UTC) teremos o rollover
>>> da chave KSK da raiz.
>>>
>>> Se você opera servidores DNS recursivo este evento pode impactar sua
>>> operação. Certifique-se de tomar as providências listadas na
>>> referência abaixo.
>>>
>>> Em caso de dúvidas estamos a disposição.
>>>
>>> []s
>>> Fred
>>>
>>> https://eng.registro.br/pipermail/gter/2017-July/070560.html
>>> --
>>> gter list    https://eng.registro.br/mailman/listinfo/gter
>>>
>>
>> ---
>> Este email foi escaneado pelo Avast antivírus.
>> https://www.avast.com/antivirus
>>
>> --
>> gter list    https://eng.registro.br/mailman/listinfo/gter
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>

More information about the gter mailing list