Re: DNSSEC

[Mark Andrews <marka@isc.org>]

In message <AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v@mail.gmail.com>, Phil
lip Hallam-Baker writes:
> Whether or not the IAB zone is signed is of negligible consequence.
> 
> But the fact that the IAB zone signatures had expired is a highly
> significant data point: DNSSEC administration is not quite as easy as
> some of the glib claims of its more enthusiastic supporters would lead
> one to believe.

It's more a matter of choosing the right tools.  I've got signed
zones that haven't been hand signed in 3 years using a 2 month
signature validity interval.  The nameserver just re-signs the
records as they fall due.  That's several thousand automatic updates
of the zones in that period.  Yes, I've changed the non DNSSEC
content of the zones in that time.

This isn't a protocol issue.  It's a tools issue and DNSSEC tools
from all vendors are improving.

It's also extremely easy to construct tools that can warn you to
re-sign if you are doing it by hand.  You could replace awk with
perl and have a cross platform tool.  Such tools can easily be
added to network management platforms as they are just small
scripts.  If you don't have a network managment platform use
cron.

e.g.

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +7d +%Y%m%d%H%M%S`
%

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
bind9-test-8.dv.isc.org. 86400	IN	RRSIG	NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. 2jHCGeJqH23dO0RV48Uqqp2hXIl1wp3kIslqmdz686uaCNz3WZZUhKzX EH+8iKc6QQWMZhFzhJoqruiTO6RyIA==
BRNEE8E63.dv.isc.org.	1800	IN	RRSIG	A 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. ZhD6uAbGQYDWJ6rob9iyvRNWZ7Tod1as4WEtPV8C+mLF8aJbakwp/76/ f7r7jz/fQOtIMQ/NjXBRT7O4507gIA==
BRNEE8E63.dv.isc.org.	1800	IN	RRSIG	TXT 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. Xl3nk8lf2exwGGy2iI2BxVjXO3emvI+8GRmkj+vi7n8rddmP6oJRqPGZ wmNoZVxMN9XMTghly6w6Cmj8aNAILQ==
BRNEE8E63.dv.isc.org.	86400	IN	RRSIG	NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. JUR1M8GmlFFYF73v6oh+bdwYuKK0YBMe7b4mDsMBs1bdBqHB52KUZ8eS KNCRD3GTp8VzwxB1TGmuIq+dGr57lQ==
% 

With a minor change it will print out just the zone.

% dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print "WARNING:", $12, "needs re-signing" ; exit }' WARN=`date -u -v +1m +%Y%m%d%H%M%S`
WARNING: dv.isc.org. needs re-signing
% 

Wrap it is a while loop and you can do all your zones.  The getline
is so we don't generate error messages in the nameserver logs by
causing the axfr to be aborted.

#!/bin/sh -f
WARN=`date -u -v +7d +%Y%m%d%H%M%S`
while read zone server
do
	dig axfr "$zone" "@$server" | \
	awk '$4 == "RRSIG" && $9 < WARN 
	    { print "WARNING:", $12, "needs re-signing."; while (getline) ; }' \
		WARN=$WARN
done

Mark

> On Tue, Aug 31, 2010 at 10:36 AM, Glen Barney (AMS) <glen@amsl.com> wrote:
> > Community -
> >
> > The DNS zone files have been re-signed, and we will look into alternative=
> s to
> > the original DNSSEC tools that were in use (which seem to be broken.)
> >
> > And just a reminder that, while posting complaints to this list might feel
> > more therapeutic, the secretariat has an address set up for trouble repor=
> ts,
> > which is ietf-action@ietf.org . =A0Sending complaints to that address will
> > generally get much faster results.
> >
> > Thank you!
> >
> > Glen
> > Glen Barney
> > IT Director
> > AMS (IETF Secretariat)
> >
> > _______________________________________________
> > Ietf mailing list
> > Ietf@ietf.org
> > https://www.ietf.org/mailman/listinfo/ietf
> >
> 
> 
> 
> -- =
> 
> Website: http://hallambaker.com/
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org