Re: snarls in real life

ned+ietf@mauve.mrochek.com Thu, 22 April 2021 01:18 UTC

Return-Path: <ned+ietf@mauve.mrochek.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C91A03A3E73 for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 18:18:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oMATymsMJWqC for <ietf@ietfa.amsl.com>; Wed, 21 Apr 2021 18:18:00 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [98.153.82.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADE703A3E72 for <ietf@ietf.org>; Wed, 21 Apr 2021 18:18:00 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RY54LGTT5C00GYSV@mauve.mrochek.com> for ietf@ietf.org; Wed, 21 Apr 2021 18:12:57 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: TEXT/PLAIN; CHARSET=us-ascii
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01RY4VQ9TXR40085YQ@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Wed, 21 Apr 2021 18:12:54 -0700 (PDT)
From: ned+ietf@mauve.mrochek.com
Cc: ietf@ietf.org
Message-id: <01RY54LEXW560085YQ@mauve.mrochek.com>
Date: Wed, 21 Apr 2021 17:10:16 -0700 (PDT)
Subject: Re: snarls in real life
In-reply-to: "Your message dated Thu, 22 Apr 2021 10:00:58 +1000" <efacee7c-bb7d-4861-9037-4c122d3e28ca@dogfood.fastmail.com>
References: <93fedaa0-5ad0-dcc0-ff01-43b8e1c97989@mtcc.com> <19f2b2e1-6365-480a-86f2-111377cac2de@www.fastmail.com> <7c77e401-4703-3921-d15d-6d69b74df488@mtcc.com> <914f3492-d56b-40ca-b7e0-bbbc65603dfa@dogfood.fastmail.com> <YIC5jFjv/Q7ehujw@straasha.imrryr.org> <efacee7c-bb7d-4861-9037-4c122d3e28ca@dogfood.fastmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/41pAug7jEMgk3T-bsVmieWKP4sI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2021 01:18:04 -0000

> On Thu, Apr 22, 2021, at 09:47, Viktor Dukhovni wrote:
> > My domain has been signed since 2014 without any disruptions, with just
> > a modest monitoring script that has alerted me to pendign expiration
> > (automated re-signing wasn't kicking in) a couple of times, well before
> > the signatures expired.  The bugs that resulted in resigning not
> > happening have been fixed for some time, and I don't have to expend any
> > energy to keep DNSSEC running, it just works.

> That's you - you're an expert in this field.  Most people aren't.  And yet -
> as you mention, you had a bug with automated re-signing failing and had to add
> monitoring.

Once the DNSSEC support in Bind got to the point where it was able to handle
most (but not all) expiration issues automatically, I decided to give DNSSEC a
try.

It's simple enough to configure it for basic domains, but I have a split-horizon
setup, and that complicated things quite a bit.

Another problem was that a long time back I took advantage of an absurdly low
promotional price from a registrar that did (and AFAIK still doesn't) support
DNSSEC. I opted to eat the cost for a couple of domains and migrated to a
registrar that did (always a royal pain). I finally migrated the last of them
mid-2020.

However, in the process I managed to make a cut-and-paste error and ended up
with one valid and one invalid DS record for one of my infrequently-used
domains. Which was noticed by exactly nothing, including the DNSSEC testing tool
I happened to use to validate my setup.

Some time later I got a problem report from IANA. It seems that IANA has DNSSEC
checking enabled on mail server, I assume because they have enabled DANE
(although this was never 100% clear), and I happened to have used this domain
for an internal list forwarding address. Unfortunately the error message IANA
was seeing was misleading, so it took a bit of time to track down. 

And I still have work to do because Bind has added a number of options that I
need to set, but before that can happen I need to upgrade Bind, and before that
can happen I need to upgrade some other stuff.

All this is for a total of 9 domains - a toy setup by any measure.

I know a little (but not a lot) about the DNS infrastructure at Oracle, and the
cost and complexity of migrating it to DNSSEC would be staggering.

				Ned