[GTER] Root KSK Rollover - Lembrete Servidores Recursivos

Frederico A C Neves fneves at registro.br
Fri Sep 22 14:55:50 -03 2017


Robson,

Utilizar o procedimento de rollover automático, utilizando o protocolo
descrito na RFC 5011, depende da observação da nova chave por um
período mínimo de 30 dias. Se você iniciou o processo ontem não há
mais tempo para este método.

Recomendo que você pare o resolver, substitua o conteúdo deste arquivo
pela informação abaixo já em estado válido, e reinicie o serviço.

[]s
Fred

% cat /usr/local/etc/unbound/root.key
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1506091788 ;;Fri Sep 22 11:49:48 2017
;;last_success: 1506091788 ;;Fri Sep 22 11:49:48 2017
;;next_probe_time: 1506134384 ;;Fri Sep 22 23:39:44 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1443881271 ;;Sat Oct  3 11:07:51 2015
.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1502603398 ;;Sun Aug 13 02:49:58 2017


On Thu, Sep 21, 2017 at 09:45:10PM -0300, ROBSON MENDES wrote:
> Boa noite, Usamos unbound, e fizemos a atualização da chave na data de
> hoje, 21/09/2017, ficou com esta mensagem abaixo.
> 
> cat /etc/unbound/root.key
> ; autotrust trust anchor file
> ;;id: . 1
> ;;last_queried: 1506040741 ;;Thu Sep 21 21:39:01 2017
> ;;last_success: 1506040741 ;;Thu Sep 21 21:39:01 2017
> ;;next_probe_time: 1506083199 ;;Fri Sep 22 09:26:39 2017
> ;;query_failed: 0
> ;;query_interval: 43200
> ;;retry_time: 8640
> .       172800  IN      DNSKEY  257 3 8
> AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=5
> ;;lastchange=1506040361 ;;Thu Sep 21 21:32:41 2017
> 
> 
> .       172800  IN      DNSKEY  257 3 8
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0
> ;;lastchange=1496287914 ;;Thu Jun  1 00:31:54 2017
> 
> Em 21 de julho de 2017 16:52, Frederico A C Neves <fneves at registro.br>
> escreveu:
> 
> > Pessoal,
> >
> > Somente um lembrete sobre o Rollover da KSK da raiz. No último dia
> > 11/7 a nova chave foi incluída no keyset. Quem tem seus servidores DNS
> > recursivos efetuando validação DNSSEC, e já tinha ou seguiu a
> > recomendação da minha apresentação, já deve ter arquivos com os trust
> > anchors como os exemplos abaixo.
> >
> > Podem notar que tanto Bind quanto Unbound já observaram a nova chave
> > (kid 20326) e a colocaram em ADDPEND (ADDPEND no Unbound e trust
> > pending no Bind). O período de espera (Add Hold-Down Time) é de 30
> > dias. Ao redor do dia 10/8 este estado deve ser promovido para VALID e
> > a nova chave estará pronta para o rollover no dia 11/10.
> >
> > Resumindo, quem já fez o recomendado basta se certificar que depois do
> > dia 14/8 a nova chave foi promovida para o estado válido (VALID no
> > Unbound e trusted since no Bind). Quem ainda não fez o recomendado, ou
> > tiver problemas, ainda teremos aproximadamente 60 dias após este
> > período de aceitação da nova chave para ajustar as configurações.
> >
> > É importante salientar que servidores DNS recursivos que estão
> > efetuando validação DNSSEC e não tiverem as chaves da raiz
> > adequadamente configuradas, a partir de 11/10, vão causar
> > indisponibilidade para seus usuários.
> >
> > Abaixo referências para a apresentação no GTER 42. Caso alguém tenha
> > dúvidas estamos a disposição.
> >
> > []s
> > Fred
> >
> > ftp://ftp.registro.br/pub/gter/gter42/10-RootKSKRoll.pdf
> > https://www.youtube.com/watch?v=amolBhDr3zQ
> >
> > # Unbound
> > ; autotrust trust anchor file
> > ;;id: . 1
> > ;;last_queried: 1500595980 ;;Thu Jul 20 21:13:00 2017
> > ;;last_success: 1500595980 ;;Thu Jul 20 21:13:00 2017
> > ;;next_probe_time: 1500638372 ;;Fri Jul 21 08:59:32 2017
> > ;;query_failed: 0
> > ;;query_interval: 43200
> > ;;retry_time: 8640
> > .       172800  IN      DNSKEY  257 3 8 AwEAAaz/
> > tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/
> > 4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> > DdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/
> > EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> > XxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> > ;{id = 20326 (ksk), size = 2048b} ;;state=1 [ ADDPEND ] ;;count=2
> > ;;lastchange=1499975057 ;;Thu Jul 13 16:44:17 2017
> > .       172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+
> > 9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/
> > RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/
> > Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G
> > 3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+
> > ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id =
> > 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0
> > ;;lastchange=1443881271 ;;Sat Oct  3 11:07:51 2015
> >
> >
> > # Bind
> > # managed keys file
> > $ORIGIN .
> > $TTL 0  ; 0 seconds
> > @                       IN SOA  . . (
> >                                 102937     ; serial
> >                                 0          ; refresh (0 seconds)
> >                                 0          ; retry (0 seconds)
> >                                 0          ; expire (0 seconds)
> >                                 0          ; minimum (0 seconds)
> >                                 )
> >                         KEYDATA 20170722181421 20110906172836
> > 19700101000000 257 3 8 (
> >                                 AwEAAagAIKlVZrpC6Ia7gEzahOR+
> > 9W29euxhJhVVLOyQ
> >                                 bSEW0O8gcCjFFVQUTf6v58fLjwBd0Y
> > I0EzrAcQqBGCzh
> >                                 /RStIoO8g0NfnfL2MTJRkxoXbfDaUeV
> > PQuYEhg37NZWA
> >                                 JQ9VnMVDxP/VHL496M/QZxkjf5/
> > Efucp2gaDX6RS6CXp
> >                                 oY68LsvPVjR0ZSwzz1apAzvN9dlzEh
> > eX7ICJBBtuA6G3
> >                                 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
> > oBQzgul0sGIcGO
> >                                 Yl7OyQdXfZ57relSQageu+
> > ipAdTTJ25AsRTAoub8ONGc
> >                                 LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> >                                 ) ; KSK; alg = RSASHA256; key id = 19036
> >                                 ; next refresh: Sat, 22 Jul 2017 18:14:21
> > GMT
> >                                 ; trusted since: Tue, 06 Sep 2011 17:28:36
> > GMT
> >                         KEYDATA 20170722181421 20170810184824
> > 19700101000000 257 3 8 (
> >                                 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMg
> > JzkKTO
> >                                 iW1vkIbzxeF3+/
> > 4RgWOq7HrxRixHlFlExOLAJr5emLvN
> >                                 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> > DdD5
> >                                 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjy
> > BxWezF0jLHwVN8
> >                                 efS3rCj/EWgvIWgb9tarpVUDK/
> > b58Da+sqqls3eNbuv7
> >                                 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> > XxuOLY
> >                                 A4/ilBmSVIzuDWfdRUfhHdY6+
> > cn8HFRm+2hM8AnXGXws
> >                                 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> >                                 ) ; KSK; alg = RSASHA256; key id = 20326
> >                                 ; next refresh: Sat, 22 Jul 2017 18:14:21
> > GMT
> >                                 ; trust pending: Thu, 10 Aug 2017 18:48:24
> > GMT
> >
> >
> > % dig @f.root-servers.net . dnskey +dnssec +m
> >
> > ; <<>> DiG 9.9.9-P4 <<>> @f.root-servers.net . dnskey +dnssec +m
> > ; (2 servers found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10401
> > ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> > ;; WARNING: recursion requested but not available
> >
> > ;; OPT PSEUDOSECTION:
> > ; EDNS: version: 0, flags: do; udp: 4096
> > ;; QUESTION SECTION:
> > ;.                      IN DNSKEY
> >
> > ;; ANSWER SECTION:
> > .                       172800 IN DNSKEY 257 3 8 (
> >                                 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMg
> > JzkKTO
> >                                 iW1vkIbzxeF3+/
> > 4RgWOq7HrxRixHlFlExOLAJr5emLvN
> >                                 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnI
> > DdD5
> >                                 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjy
> > BxWezF0jLHwVN8
> >                                 efS3rCj/EWgvIWgb9tarpVUDK/
> > b58Da+sqqls3eNbuv7
> >                                 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsI
> > XxuOLY
> >                                 A4/ilBmSVIzuDWfdRUfhHdY6+
> > cn8HFRm+2hM8AnXGXws
> >                                 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
> >                                 ) ; KSK; alg = RSASHA256 ; key id = 20326
> > .                       172800 IN DNSKEY 256 3 8 (
> >                                 AwEAAYvxrQOOujKdZz+37P+
> > oL4l7e35/0diH/mZITGjl
> >                                 p4f81ZGQK42HNxSfkiSahinPR3t0YQ
> > hjC393NX4TorSi
> >                                 TJy76TBWddNOkC/IaGqcb4erU+
> > nQ75k2Lf0oIpA7qTCk
> >                                 3UkzYBqhKDHHAr2UditE7uFLDcoX4n
> > BLCoaH5FtfxhUq
> >                                 yTlRu0RBXAEuKO+
> > rORTFP0XgA5vlzVmXtwCkb9G8GknH
> >                                 uO1jVAwu3syPRVHErIbaXs1+
> > jahvWWL+Do4wd+lA+TL3
> >                                 +pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUz
> > IHIMWZRFA
> >                                 jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=
> >                                 ) ; ZSK; alg = RSASHA256 ; key id = 15768
> > .                       172800 IN DNSKEY 257 3 8 (
> >                                 AwEAAagAIKlVZrpC6Ia7gEzahOR+
> > 9W29euxhJhVVLOyQ
> >                                 bSEW0O8gcCjFFVQUTf6v58fLjwBd0Y
> > I0EzrAcQqBGCzh
> >                                 /RStIoO8g0NfnfL2MTJRkxoXbfDaUeV
> > PQuYEhg37NZWA
> >                                 JQ9VnMVDxP/VHL496M/QZxkjf5/
> > Efucp2gaDX6RS6CXp
> >                                 oY68LsvPVjR0ZSwzz1apAzvN9dlzEh
> > eX7ICJBBtuA6G3
> >                                 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6D
> > oBQzgul0sGIcGO
> >                                 Yl7OyQdXfZ57relSQageu+
> > ipAdTTJ25AsRTAoub8ONGc
> >                                 LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
> >                                 ) ; KSK; alg = RSASHA256 ; key id = 19036
> > .                       172800 IN RRSIG DNSKEY 8 0 172800 (
> >                                 20170811000000 20170721000000 19036 .
> >                                 kp0zHRYVgEY1Ki1usB2wm5VCVG+
> > DkpANei5yEGsiHSUI
> >                                 gpBsLHMCtzz3ztmmgPIJmcJZyq49Zc
> > Mg02MpZ2EHwIgq
> >                                 xqzyb3rX7KYwWHowjmdZz8c0hSIN99
> > c6tVwfiTHstLbS
> >                                 /6ya1FF1r4J6h2LZh+
> > SeetZHw32Af1AP4DjGUEwufS2W
> >                                 KQOxp0IGpM9dITuZuuGFK+
> > gB8t2CQniDJ90FUrmltWjf
> >                                 L7tYGfUcRNPMlIVgO4gLtRlV1ysm+
> > iHAptF9zrWUjUex
> >                                 2lDvOKt+O40AyzSWaeiFJCPhrtOT0tt4i8h7Pj
> > lBm+Wm
> >                                 kO0ZLn0rJasJnE4ww6o8zcxGubyJrCMHjA== )
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 2001:500:2f::f#53(2001:500:2f::f)
> > ;; WHEN: Fri Jul 21 16:37:27 BRT 2017
> > ;; MSG SIZE  rcvd: 1139
> > --
> > gter list    https://eng.registro.br/mailman/listinfo/gter
> >
> 
> 
> 
> -- 
> *Robson Mendes de Souza*
> *Analista de Redes *
> *TEL.: (38)999980369  *
> *EMAIL.: robsonzmendes at gmail.com <robsonzmendes at gmail.com> |
> robson.mendes at inovanet.net.br <robson.mendes at inovanet.net.br>*
> *AS263453*



More information about the gter mailing list