Re: DNSSEC
Phillip Hallam-Baker <hallam@gmail.com> Wed, 01 September 2010 03:41 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CEB4D3A6A02 for <ietf@core3.amsl.com>; Tue, 31 Aug 2010 20:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.741
X-Spam-Level:
X-Spam-Status: No, score=-1.741 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M71kRR9Arz70 for <ietf@core3.amsl.com>; Tue, 31 Aug 2010 20:41:33 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id B54F73A6A1F for <ietf@ietf.org>; Tue, 31 Aug 2010 20:40:32 -0700 (PDT)
Received: by iwn3 with SMTP id 3so7061185iwn.31 for <ietf@ietf.org>; Tue, 31 Aug 2010 20:40:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=S4cZI1vkpeUFg49Zq/E2P5u3T9Xyycz5SoMazRlIFtI=; b=k0myKbaMJEVTmoRA+uxEEnN0OnT+41go3zoC1B1Sc2Dv2roLJ7bt3oslzClDWUM9A9 VdshS4yR7dK/FJBFCJUwwW2O534n/LxWpEukLotx3VsU4PpUT8gP+LeEPxh+SPmtWxNv ++9qoFVrP63gj+zRtYx4qeFlLZ9SpEM15ibZ0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=e8w6uISi81cBhGjwaza07sJfNjTukAq4nbZI1WfrxLzHKubZt9pxHWjaHgzeR/oiU2 m0gKZVktGmQzziZ/mcQ9iGun2c7ewPhQbQwEYkEkzl7QuU7YAD+51OAzmPMK8+M+LD6c TSflKDyFNzm79LaV4sHeqib5LQqHd2LaIhMd8=
MIME-Version: 1.0
Received: by 10.231.167.80 with SMTP id p16mr8005973iby.119.1283312456240; Tue, 31 Aug 2010 20:40:56 -0700 (PDT)
Received: by 10.231.35.70 with HTTP; Tue, 31 Aug 2010 20:40:56 -0700 (PDT)
In-Reply-To: <20100901010548.199C93F9FCE@drugs.dv.isc.org>
References: <20100831143617.GI5233@amsl.com> <AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v@mail.gmail.com> <20100901010548.199C93F9FCE@drugs.dv.isc.org>
Date: Tue, 31 Aug 2010 23:40:56 -0400
Message-ID: <AANLkTi=bOP9ojnggoo7Xx1j2XvgGazT92+myu8KPq+23@mail.gmail.com>
Subject: Re: DNSSEC
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 01 Sep 2010 09:24:40 -0700
Cc: ietf@ietf.org, "Glen Barney (AMS)" <glen@amsl.com>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2010 03:41:53 -0000
Or it is a matter of the readers of this list perhaps recognizing a business opportunity and helping the 98% of net users who are less technically sophisticated in a variety of ways... Understanding what a DNS TTL is means that a Web site operator has distinctly above average skill. On Tue, Aug 31, 2010 at 9:05 PM, Mark Andrews <marka@isc.org> wrote: > > In message <AANLkTinwMO6Sw-rvfrax-_VNN8x1kejc9iAkrNQGBf2v@mail.gmail.com>, Phil > lip Hallam-Baker writes: >> Whether or not the IAB zone is signed is of negligible consequence. >> >> But the fact that the IAB zone signatures had expired is a highly >> significant data point: DNSSEC administration is not quite as easy as >> some of the glib claims of its more enthusiastic supporters would lead >> one to believe. > > It's more a matter of choosing the right tools. I've got signed > zones that haven't been hand signed in 3 years using a 2 month > signature validity interval. The nameserver just re-signs the > records as they fall due. That's several thousand automatic updates > of the zones in that period. Yes, I've changed the non DNSSEC > content of the zones in that time. > > This isn't a protocol issue. It's a tools issue and DNSSEC tools > from all vendors are improving. > > It's also extremely easy to construct tools that can warn you to > re-sign if you are doing it by hand. You could replace awk with > perl and have a cross platform tool. Such tools can easily be > added to network management platforms as they are just small > scripts. If you don't have a network managment platform use > cron. > > e.g. > > % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +7d +%Y%m%d%H%M%S` > % > > % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print }' WARN=`date -u -v +1m +%Y%m%d%H%M%S` > bind9-test-8.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. 2jHCGeJqH23dO0RV48Uqqp2hXIl1wp3kIslqmdz686uaCNz3WZZUhKzX EH+8iKc6QQWMZhFzhJoqruiTO6RyIA== > BRNEE8E63.dv.isc.org. 1800 IN RRSIG A 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. ZhD6uAbGQYDWJ6rob9iyvRNWZ7Tod1as4WEtPV8C+mLF8aJbakwp/76/ f7r7jz/fQOtIMQ/NjXBRT7O4507gIA== > BRNEE8E63.dv.isc.org. 1800 IN RRSIG TXT 5 4 1800 20100929190221 20100731184853 14436 dv.isc.org. Xl3nk8lf2exwGGy2iI2BxVjXO3emvI+8GRmkj+vi7n8rddmP6oJRqPGZ wmNoZVxMN9XMTghly6w6Cmj8aNAILQ== > BRNEE8E63.dv.isc.org. 86400 IN RRSIG NSEC 5 4 86400 20100929190221 20100731184853 14436 dv.isc.org. JUR1M8GmlFFYF73v6oh+bdwYuKK0YBMe7b4mDsMBs1bdBqHB52KUZ8eS KNCRD3GTp8VzwxB1TGmuIq+dGr57lQ== > % > > With a minor change it will print out just the zone. > > % dig axfr dv.isc.org @bsdi.dv.isc.org | awk '$4 == "RRSIG" && $9 < WARN { print "WARNING:", $12, "needs re-signing" ; exit }' WARN=`date -u -v +1m +%Y%m%d%H%M%S` > WARNING: dv.isc.org. needs re-signing > % > > Wrap it is a while loop and you can do all your zones. The getline > is so we don't generate error messages in the nameserver logs by > causing the axfr to be aborted. > > #!/bin/sh -f > WARN=`date -u -v +7d +%Y%m%d%H%M%S` > while read zone server > do > dig axfr "$zone" "@$server" | \ > awk '$4 == "RRSIG" && $9 < WARN > { print "WARNING:", $12, "needs re-signing."; while (getline) ; }' \ > WARN=$WARN > done > > Mark > >> On Tue, Aug 31, 2010 at 10:36 AM, Glen Barney (AMS) <glen@amsl.com> wrote: >> > Community - >> > >> > The DNS zone files have been re-signed, and we will look into alternative= >> s to >> > the original DNSSEC tools that were in use (which seem to be broken.) >> > >> > And just a reminder that, while posting complaints to this list might feel >> > more therapeutic, the secretariat has an address set up for trouble repor= >> ts, >> > which is ietf-action@ietf.org . =A0Sending complaints to that address will >> > generally get much faster results. >> > >> > Thank you! >> > >> > Glen >> > Glen Barney >> > IT Director >> > AMS (IETF Secretariat) >> > >> > _______________________________________________ >> > Ietf mailing list >> > Ietf@ietf.org >> > https://www.ietf.org/mailman/listinfo/ietf >> > >> >> >> >> -- = >> >> Website: http://hallambaker.com/ >> _______________________________________________ >> Ietf mailing list >> Ietf@ietf.org >> https://www.ietf.org/mailman/listinfo/ietf > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org > -- Website: http://hallambaker.com/
- Re: DNSSEC Mark Andrews
- Re: DNSSEC Glen Barney (AMS)
- Re: DNSSEC todd glassey
- Re: DNSSEC Phillip Hallam-Baker
- Re: DNSSEC Donald Eastlake
- Re: DNSSEC Phillip Hallam-Baker