On 07/02/14 08:22, Warren Kumari wrote: > On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch <[email protected]> wrote: >> Mohamed Lrhazi <[email protected]> wrote: >>> >>> gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec >>> in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn >>> that after a while keys are rolled over and I need to do some work about >>> it.... >> >> Surely it has an interlock to prevent a KSK rollover going ahead without a >> DS change?! > > Obligatory pointer at document that *should* automate this, and so > prevent bad KSK rolls (if deployed :-)): > https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/ > > Basically, when the signing tool rolls the key, it publishes the new > key in the zone, the parent (registrar or registry) periodically > scrapes the zone and then publishes the new DS. > > Currently with the RFC Editor. > > W > > (FD: author). >
Hmmm, wonder if educause will implement this for us...and can it be done without involving our business office. Otherwise, wonder what I could do in my home grown automatation scripts to check for new DS and somehow extend the rollover time automatically? Though our next scheduled KSK rollover is a year away, and we have new F5's that'll be going into service someday....where we purchased the better package for, so I think having the GTM do DNSSEC would take concern of whether we can satisfy expectations for instant DNS updates when I'm forced to move our master nameserver from the 16 core physical server into a VM.... Last KSK rollover....I had a 31 day window....So, (Aug 1, 2012) I email the new DS info to the person that manages our educause account. And, they finally put it in on Aug 31st.... Except that our key alg is 8 (RSASHA256). And, they selected 7 (RSASHA1-NSEC3-SHA1) from the dropdown menu. We're doing NSEC3. At least I don't get flooded with tickets about us not resolving in various parts of the world until I get after Labor Day. (the parts that do DNSSEC validation and don't fallback to DLV) Since things worked from home where my provider did this, but users on Comcast were left in the dark.... Person that had done the update, had done it just before going on vacation for a couple of weeks...but was able to fix it from remote.... >> >> Tony. >> -- >> f.anthony.n.finch <[email protected]> http://dotat.at/ >> South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. >> Slight >> or moderate. Rain for a time. Good, occasionally moderate. -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
