[GTER] Root KSK Rollover - Lembrete Servidores Recursivos
ROBSON MENDES
robsonzmendes at gmail.com
Thu Sep 21 21:45:10 -03 2017
Boa noite, Usamos unbound, e fizemos a atualização da chave na data de
hoje, 21/09/2017, ficou com esta mensagem abaixo.
cat /etc/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1506040741 ;;Thu Sep 21 21:39:01 2017
;;last_success: 1506040741 ;;Thu Sep 21 21:39:01 2017
;;next_probe_time: 1506083199 ;;Fri Sep 22 09:26:39 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=5
;;lastchange=1506040361 ;;Thu Sep 21 21:32:41 2017
. 172800 IN DNSKEY 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
;;lastchange=1496287914 ;;Thu Jun 1 00:31:54 2017
Em 21 de julho de 2017 16:52, Frederico A C Neves <fneves at registro.br>
escreveu:
> Pessoal,
>
> Somente um lembrete sobre o Rollover da KSK da raiz. No último dia
> 11/7 a nova chave foi incluída no keyset. Quem tem seus servidores DNS
> recursivos efetuando validação DNSSEC, e já tinha ou seguiu a
> recomendação da minha apresentação, já deve ter arquivos com os trust
> anchors como os exemplos abaixo.
>
> Podem notar que tanto Bind quanto Unbound já observaram a nova chave
> (kid 20326) e a colocaram em ADDPEND (ADDPEND no Unbound e trust
> pending no Bind). O período de espera (Add Hold-Down Time) é de 30
> dias. Ao redor do dia 10/8 este estado deve ser promovido para VALID e
> a nova chave estará pronta para o rollover no dia 11/10.
>
> Resumindo, quem já fez o recomendado basta se certificar que depois do
> dia 14/8 a nova chave foi promovida para o estado válido (VALID no
> Unbound e trusted since no Bind). Quem ainda não fez o recomendado, ou
> tiver problemas, ainda teremos aproximadamente 60 dias após este
> período de aceitação da nova chave para ajustar as configurações.
>
> É importante salientar que servidores DNS recursivos que estão
> efetuando validação DNSSEC e não tiverem as chaves da raiz
> adequadamente configuradas, a partir de 11/10, vão causar
> indisponibilidade para seus usuários.
>
> Abaixo referências para a apresentação no GTER 42. Caso alguém tenha
> dúvidas estamos a disposição.
>
> []s
> Fred
>
> ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf
> https://www.youtube.com/watch?v=amolBhDr3zQ
>
> # Unbound
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1500595980 ;;Thu Jul 20 21:13:00 2017
> ;;last_success: 1500595980 ;;Thu Jul 20 21:13:00 2017
> ;;next_probe_time: 1500638372 ;;Fri Jul 21 08:59:32 2017
> ;;query_failed: 0
> ;;query_interval: 43200
> ;;retry_time: 8640
> . 172800 IN DNSKEY 257 3 8 AwEAAaz/
> tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/
> 4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> DdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/
> EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> XxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=2
> ;;lastchange=1499975057 ;;Thu Jul 13 16:44:17 2017
> . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+
> 9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
> RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
> Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G
> 3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+
> ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id =
> 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0
> ;;lastchange=1443881271 ;;Sat Oct 3 11:07:51 2015
>
>
> # Bind
> # managed keys file
> $ORIGIN .
> $TTL 0 ; 0 seconds
> @ IN SOA . . (
> 102937 ; serial
> 0 ; refresh (0 seconds)
> 0 ; retry (0 seconds)
> 0 ; expire (0 seconds)
> 0 ; minimum (0 seconds)
> )
> KEYDATA 20170722181421 20110906172836
> 19700101000000 257 3 8 (
> AwEAAagAIKlVZrpC6Ia7gEzahOR+
> 9W29euxhJhVVLOyQ
> bSEW0O8gcCjFFVQUTf6v58fLjwBd0Y
> I0EzrAcQqBGCzh
> /RStIoO8g0NfnfL2MTJRkxoXbfDaUeV
> PQuYEhg37NZWA
> JQ9VnMVDxP/VHL496M/QZxkjf5/
> Efucp2gaDX6RS6CXp
> oY68LsvPVjR0ZSwzz1apAzvN9dlzEh
> eX7ICJBBtuA6G3
> LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
> oBQzgul0sGIcGO
> Yl7OyQdXfZ57relSQageu+
> ipAdTTJ25AsRTAoub8ONGc
> LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ) ; KSK; alg = RSASHA256; key id = 19036
> ; next refresh: Sat, 22 Jul 2017 18:14:21
> GMT
> ; trusted since: Tue, 06 Sep 2011 17:28:36
> GMT
> KEYDATA 20170722181421 20170810184824
> 19700101000000 257 3 8 (
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMg
> JzkKTO
> iW1vkIbzxeF3+/
> 4RgWOq7HrxRixHlFlExOLAJr5emLvN
> 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> DdD5
> LKyWbRd2n9WGe2R8PzgCmr3EgVLrjy
> BxWezF0jLHwVN8
> efS3rCj/EWgvIWgb9tarpVUDK/
> b58Da+sqqls3eNbuv7
> pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> XxuOLY
> A4/ilBmSVIzuDWfdRUfhHdY6+
> cn8HFRm+2hM8AnXGXws
> 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> ) ; KSK; alg = RSASHA256; key id = 20326
> ; next refresh: Sat, 22 Jul 2017 18:14:21
> GMT
> ; trust pending: Thu, 10 Aug 2017 18:48:24
> GMT
>
>
> % dig @f.root-servers.net . dnskey +dnssec +m
>
> ; <<>> DiG 9.9.9-P4 <<>> @f.root-servers.net . dnskey +dnssec +m
> ; (2 servers found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10401
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;. IN DNSKEY
>
> ;; ANSWER SECTION:
> . 172800 IN DNSKEY 257 3 8 (
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMg
> JzkKTO
> iW1vkIbzxeF3+/
> 4RgWOq7HrxRixHlFlExOLAJr5emLvN
> 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> DdD5
> LKyWbRd2n9WGe2R8PzgCmr3EgVLrjy
> BxWezF0jLHwVN8
> efS3rCj/EWgvIWgb9tarpVUDK/
> b58Da+sqqls3eNbuv7
> pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> XxuOLY
> A4/ilBmSVIzuDWfdRUfhHdY6+
> cn8HFRm+2hM8AnXGXws
> 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> ) ; KSK; alg = RSASHA256 ; key id = 20326
> . 172800 IN DNSKEY 256 3 8 (
> AwEAAYvxrQOOujKdZz+37P+
> oL4l7e35/0diH/mZITGjl
> p4f81ZGQK42HNxSfkiSahinPR3t0YQ
> hjC393NX4TorSi
> TJy76TBWddNOkC/IaGqcb4erU+
> nQ75k2Lf0oIpA7qTCk
> 3UkzYBqhKDHHAr2UditE7uFLDcoX4n
> BLCoaH5FtfxhUq
> yTlRu0RBXAEuKO+
> rORTFP0XgA5vlzVmXtwCkb9G8GknH
> uO1jVAwu3syPRVHErIbaXs1+
> jahvWWL+Do4wd+lA+TL3
> +pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUz
> IHIMWZRFA
> jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=
> ) ; ZSK; alg = RSASHA256 ; key id = 15768
> . 172800 IN DNSKEY 257 3 8 (
> AwEAAagAIKlVZrpC6Ia7gEzahOR+
> 9W29euxhJhVVLOyQ
> bSEW0O8gcCjFFVQUTf6v58fLjwBd0Y
> I0EzrAcQqBGCzh
> /RStIoO8g0NfnfL2MTJRkxoXbfDaUeV
> PQuYEhg37NZWA
> JQ9VnMVDxP/VHL496M/QZxkjf5/
> Efucp2gaDX6RS6CXp
> oY68LsvPVjR0ZSwzz1apAzvN9dlzEh
> eX7ICJBBtuA6G3
> LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
> oBQzgul0sGIcGO
> Yl7OyQdXfZ57relSQageu+
> ipAdTTJ25AsRTAoub8ONGc
> LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ) ; KSK; alg = RSASHA256 ; key id = 19036
> . 172800 IN RRSIG DNSKEY 8 0 172800 (
> 20170811000000 20170721000000 19036 .
> kp0zHRYVgEY1Ki1usB2wm5VCVG+
> DkpANei5yEGsiHSUI
> gpBsLHMCtzz3ztmmgPIJmcJZyq49Zc
> Mg02MpZ2EHwIgq
> xqzyb3rX7KYwWHowjmdZz8c0hSIN99
> c6tVwfiTHstLbS
> /6ya1FF1r4J6h2LZh+
> SeetZHw32Af1AP4DjGUEwufS2W
> KQOxp0IGpM9dITuZuuGFK+
> gB8t2CQniDJ90FUrmltWjf
> L7tYGfUcRNPMlIVgO4gLtRlV1ysm+
> iHAptF9zrWUjUex
> 2lDvOKt+O40AyzSWaeiFJCPhrtOT0tt4i8h7Pj
> lBm+Wm
> kO0ZLn0rJasJnE4ww6o8zcxGubyJrCMHjA== )
>
> ;; Query time: 0 msec
> ;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
> ;; WHEN: Fri Jul 21 16:37:27 BRT 2017
> ;; MSG SIZE rcvd: 1139
> --
> gter list https://eng.registro.br/mailman/listinfo/gter
>
--
*Robson Mendes de Souza*
*Analista de Redes *
*TEL.: (38)999980369 *
*EMAIL.: robsonzmendes at gmail.com <robsonzmendes at gmail.com> |
robson.mendes at inovanet.net.br <robson.mendes at inovanet.net.br>*
*AS263453*
More information about the gter
mailing list