[GTER] DNSSEC Root KSK Rollover - faltam 30 dias
Samir Patrice
samir.patrice at gmail.com
Tue Sep 12 19:28:26 -03 2017
Essas alterações precisam ser feitas mesmo pra quem ainda não usa DNSSEC?
Em 12 de setembro de 2017 11:14, Jonni Pianezzer <jhonnyp at deltaativa.com.br>
escreveu:
> Muito bom, vou fazer, acho muito importante essa noticia ser propagada a
> todos mesmo,
>
> att
>
> JhonnyP
>
>
>
> Em 12/09/2017 11:11, Frederico A C Neves escreveu:
>
>> Jonni,
>>
>> On Tue, Sep 12, 2017 at 09:33:35AM -0300, Jonni Pianezzer wrote:
>>
>>> Alguem poderia fazer um tutorial de como atualizar isso, no unbound,
>>> bind, enfim,
>>>
>> Está na apresentação slides 10 e 11, são adicões simples a
>> configuração do serviço.
>>
>> ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf
>>
>> **Unbound
>> server:
>> auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
>>
>> **Bind
>> options {
>> dnssec-validation auto;
>> };
>>
>> No último slide também existem as referências para os dois casos.
>>
>> https://www.unbound.net/documentation/howto_anchor.html
>> https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch06.ht
>> ml#managed-keys
>>
>> Como agora já faltam menos que os 30 dias necessários para que a 5011
>> funcione adequadamente sugiro popular os arquivos referenciados nas
>> configurações com os dados abaixo.
>>
>> % cat /usr/local/unbound/etc/unbound/root.key
>> ; autotrust trust anchor file
>> ;;id: . 1
>> ;;last_queried: 1505186999 ;;Tue Sep 12 00:29:59 2017
>> ;;last_success: 1505186999 ;;Tue Sep 12 00:29:59 2017
>> ;;next_probe_time: 1505229550 ;;Tue Sep 12 12:19:10 2017
>> ;;query_failed: 0
>> ;;query_interval: 43200
>> ;;retry_time: 8640
>> . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W
>> 29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/R
>> StIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M
>> /QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7I
>> CJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQ
>> dXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
>> ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
>> ;;lastchange=1500667831 ;;Fri Jul 21 17:10:31 2017
>> . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVe
>> xTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7S
>> WXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8Pz
>> gCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sq
>> qls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilB
>> mSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
>> ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
>> ;;lastchange=1503296928 ;;Mon Aug 21 03:28:48 2017
>>
>> % cat /var/named/etc/managed-keys.bind
>> $ORIGIN .
>> $TTL 0 ; 0 seconds
>> @ IN SOA . . (
>> 105473 ; serial
>> 0 ; refresh (0 seconds)
>> 0 ; retry (0 seconds)
>> 0 ; expire (0 seconds)
>> 0 ; minimum (0 seconds)
>> )
>> KEYDATA 20170913134512 20110906172836
>> 19700101000000 257 3 8 (
>> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W
>> 29euxhJhVVLOyQ
>> bSEW0O8gcCjFFVQUTf6v58fLjwBd0Y
>> I0EzrAcQqBGCzh
>> /RStIoO8g0NfnfL2MTJRkxoXbfDaUe
>> VPQuYEhg37NZWA
>> JQ9VnMVDxP/VHL496M/QZxkjf5/Efu
>> cp2gaDX6RS6CXp
>> oY68LsvPVjR0ZSwzz1apAzvN9dlzEh
>> eX7ICJBBtuA6G3
>> LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
>> oBQzgul0sGIcGO
>> Yl7OyQdXfZ57relSQageu+ipAdTTJ2
>> 5AsRTAoub8ONGc
>> LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
>> ) ; KSK; alg = RSASHA256; key id = 19036
>> ; next refresh: Wed, 13 Sep 2017 13:45:12
>> GMT
>> ; trusted since: Tue, 06 Sep 2011
>> 17:28:36 GMT
>> KEYDATA 20170913134512 20170811181600
>> 19700101000000 257 3 8 (
>> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVe
>> xTBAvkMgJzkKTO
>> iW1vkIbzxeF3+/4RgWOq7HrxRixHlF
>> lExOLAJr5emLvN
>> 7SWXgnLh4+B5xQlNVz8Og8kvArMtNR
>> OxVQuCaSnIDdD5
>> LKyWbRd2n9WGe2R8PzgCmr3EgVLrjy
>> BxWezF0jLHwVN8
>> efS3rCj/EWgvIWgb9tarpVUDK/b58D
>> a+sqqls3eNbuv7
>> pr+eoZG+SrDK6nWeL3c6H5Apxz7LjV
>> c1uTIdsIXxuOLY
>> A4/ilBmSVIzuDWfdRUfhHdY6+cn8HF
>> Rm+2hM8AnXGXws
>> 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
>> ) ; KSK; alg = RSASHA256; key id = 20326
>> ; next refresh: Wed, 13 Sep 2017 13:45:12
>> GMT
>> ; trusted since: Fri, 11 Aug 2017
>> 18:16:00 GMT
>>
>>
>> Estas chaves podem ser verificadas diretamente em consultas ao
>> servidores da raiz ou pelo procedimento descrito na RFC7958.
>>
>> % dig @f.root-servers.net . dnskey +multi +short | grep 257
>> 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
>> +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
>> ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
>> 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
>> oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
>> RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=
>> 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
>> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
>> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
>> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
>> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
>> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
>>
>> seria importante para a Internet
>>>
>> []s
>> Fred
>>
>> Em 11/09/2017 18:54, Frederico A C Neves escreveu:
>>>
>>>> Pessoal,
>>>>
>>>> Mais um lembrete, em 30 dias (2017-10-11 16:00 UTC) teremos o rollover
>>>> da chave KSK da raiz.
>>>>
>>>> Se você opera servidores DNS recursivo este evento pode impactar sua
>>>> operação. Certifique-se de tomar as providências listadas na
>>>> referência abaixo.
>>>>
>>>> Em caso de dúvidas estamos a disposição.
>>>>
>>>> []s
>>>> Fred
>>>>
>>>> https://eng.registro.br/pipermail/gter/2017-July/070560.html
>>>> --
>>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>>
>>>>
>>> ---
>>> Este email foi escaneado pelo Avast antivírus.
>>> https://www.avast.com/antivirus
>>>
>>> --
>>> gter list https://eng.registro.br/mailman/listinfo/gter
>>>
>> --
>> gter list https://eng.registro.br/mailman/listinfo/gter
>>
>>
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
--
Samir Patrice
Analista de Rede
More information about the gter
mailing list