[dns-operations] What's wrong with my domain?

2014-07-02 Thread Mohamed Lrhazi 
I am sure I messed up something, but cant figure out what! Some DNS
servers, notably Google's, return SERVFAIL, since a couple of days now.

This dns report says the NS records do not have A records... but they do in
my zone data.

http://www.dnssy.com/report.php?q=gu.edu



➜  ~  dig any gu.edu @8.8.8.8

;  DiG 9.9.5-3-Ubuntu  any gu.edu @8.8.8.8
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 24840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gu.edu. IN ANY

;; Query time: 80 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 02 06:21:49 EDT 2014
;; MSG SIZE  rcvd: 35
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Michele Neylon - Blacknight 
Mohamed

Seeing similar errors here: http://mydnscheck.com/?domain=gu.edu

Regards

Michele

--
Mr Michele Neylon
Blacknight Solutions
Hosting  Colocation, Domains
http://www.blacknight.co/
http://blog.blacknight.com/
http://www.technology.ie/
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Twitter: http://twitter.com/mneylon
---
Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
Road,Graiguecullen,Carlow,Ireland  Company No.: 370845

From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On Behalf Of 
Mohamed Lrhazi
Sent: Wednesday, July 2, 2014 11:29 AM
To: dns-operations
Subject: [dns-operations] What's wrong with my domain?

I am sure I messed up something, but cant figure out what! Some DNS servers, 
notably Google's, return SERVFAIL, since a couple of days now.

This dns report says the NS records do not have A records... but they do in my 
zone data.

http://www.dnssy.com/report.php?q=gu.edu



➜  ~  dig any gu.eduhttp://gu.edu @8.8.8.8http://8.8.8.8

;  DiG 9.9.5-3-Ubuntu  any gu.eduhttp://gu.edu 
@8.8.8.8http://8.8.8.8
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 24840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;gu.eduhttp://gu.edu.   IN
ANY

;; Query time: 80 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 02 06:21:49 EDT 2014
;; MSG SIZE  rcvd: 35

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Mark Andrews 

The DS record for gu.edu does not have a matching self signed DNSKEY
record.  The DS record is for keyid 3078.  There are no DNSKEY records
with that keyid nor signatures generated with that keyid for the DNSKEY
rrset.

I suspect a botched KSK key rollover.

Mark

;  DiG 9.11.0pre-alpha  ds gu.edu
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 1308
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gu.edu.IN  DS

;; ANSWER SECTION:
gu.edu. 86083   IN  DS  3078 7 1 
B4C9FB14D6519C3ECE5CC43E80C463D5847D73ED

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 02 21:01:54 EST 2014
;; MSG SIZE  rcvd: 71


;  DiG 9.11.0pre-alpha  +dnssec +rrcomments dnskey gu.edu 
@141.161.200.28
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 19143
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gu.edu.IN  DNSKEY

;; ANSWER SECTION:
gu.edu. 86400   IN  DNSKEY  257 3 7 
AwEAAb6JcEZnTcIg2P2yv7uIBG8F8ZNOFh1EzJHp2OlYnNZL70KufziL 
Xye72PEeCoMKCArnw3vH/7zV9SvFfFsfaEEAPDwASUYs4kGlP0IJ297C 
hm9x1b+vQ+tMIbGhf8z9qGqFqT/N63EGcN5Wl6B9JhFrWWZIw/7hpX6Y 
GSNM9fHgE79O363FOQNnUk4tUkaPSKhBZRh4jYtGKCcFt0Sc0SiDjdz1 
vPhzzq2p2XklLijHUAOHfuMFfDSUFu5/8JOz84CvtGhjpoSAJ7MffcTz 
M9Luzk9/DkvDoteK3VHtn90vZoOea/V8CbNWX2i7S0keZQ7f9SmMg3PE gRXue/kZVnE=  ; KSK; 
alg = NSEC3RSASHA1; key id = 39339
gu.edu. 86400   IN  DNSKEY  257 3 7 
AwEAAa2FnxIFT7YpOPNV6VLfpzWCh5W5Fo9zsvA1zI4psLtj//c2Xrwy 
UFsCYktsIVnGD8mElKXq1w1zfxeo8xudMrS2v7QQmVnioF84rFHhh+CR 
RVPd+8DKD+hVSQVfUfticewC9DBLLrDSuprxFIZt8VHUn3vzTN9zYK45 
/dGGSOXCN8Pj7kXvhLSOYy3WjKwLK84j+gr3jTytH9gsaRTl9FrOskB+ 
pyYqOOro4UolRa5aPYv2BVqENYgauuowfghSqObpWATIpLCujpm5SBRX 
IfW4veFKIfhBlNoHLG/iQKmcrj8DAtEe8ZTNJt2GNhn8dt+J7IJOSaYb QUGRzzZ9//0=  ; KSK; 
alg = NSEC3RSASHA1; key id = 35043
gu.edu. 86400   IN  DNSKEY  256 3 7 
AwEAAb/7TwBkoZFMtAzV7MrojlnEM52p43LGGbm2XyaxrZYZ2dgO6aFv 
GZKUkzTDKn6a0Ko3qDL71uxAVdqInARg2DDv1mjC1ONS8axhu2T4clIb 
wUE9R0sWKW+AzlX048bC7yFfolhg8bocnrbBLe4ED8zJw4TGHEW1PoDH 
DMGgXmB4ZP/UP7FBOPOMbAk0/dGKjiiRBezF3i8GmQ2w9sZB5Y9ns+uE 
N3BqJE5rM21kNw/KB8GCfhiDqI4jsq8w3EQ3gM/slbdHFl3oUbaEho2B 
ZMpmQ+lRwEVG2XBGrxwMxU4gKhmS6anPAywBjMl/I+49FgqV2FtNcCIl sHJZQkqKrX8=  ; ZSK; 
alg = NSEC3RSASHA1; key id = 38702
gu.edu. 86400   IN  DNSKEY  256 3 7 
AwEAAbk4F64sFJvk8JEtpOW2sa/8No8f5MNT4N1qQaXZHfhobBKw8Jb7 
JxNQqGLhmCnzHXMXS28zMx00YsgTUV90rE0fAY6d6pA5khO4Fq+nTLyS 
jbLeGozYFsLRvr3WnAc1j3Htsuo7phZWb/rAxe0KvVT6oV0JnGptflGh 
GjFTlFAIQiO4RldyVEOSk9pu9vZAGc75318JREcdez9QI1GM6yxT9qgh 
H1WrRHSBA/Mn3CitLMgIgatZ7N4tkclH+P0lphWPrREumIC9Il5ZAi6e 
Ayh/BSMpcpugPX03dXHssVRJEKXC6h6JoP7W1ZL4i4K6coLF+6QmXxjn N+GILy70XzU=  ; ZSK; 
alg = NSEC3RSASHA1; key id = 25247
gu.edu. 86400   IN  RRSIG   DNSKEY 7 2 86400 20140705183107 
20140628183107 39339 gu.edu. 
V90hsL73pY7thRDBFUICo5M/m46+nvR8nSkC7FCjSSCK6ZVuwIO2GoPV 
ytvmX9zVLcVZmgkP/a3nyV79ENN76j1RGhTrJLq8ekD6fl7P4djk66sB 
yrMiyijY8dr6CcuVVp1LnMzgDACSyPMoWnmsXEAX2zxgCJxN1FKm3INM 
AzEL8d/AThWG2fRTww6whQlISKYkvuN9zflK4qxUsucshccmimQj0799 
7GjQh50yUYhjVOFdYdiyU3q/MtHOmjMOL7bnmquiBvXC39Qan2+e1Kys 
CT17b4zWUYy54qF6hEejafCsrsTy6jZIk5aXGhqA1LG/mqPI1gt74Bpu 2JI+WQ==
gu.edu. 86400   IN  RRSIG   DNSKEY 7 2 86400 20140705183107 
20140628183107 35043 gu.edu. 
Im5/h/K08KpcnZIXKXjTBTshEYTjMdeZeCx1qgVzhRq5jQs9ERXG8wzn 
Plvs809SGTuvHbSBqoziCw7eWbGhlDthj1sc7AzAr22lGRRZB7KuKJx6 
BbyGRSCcte2cbec03tzf4axFIjV/AWUKPVwZz+FyLjlE8M+1m+9wf1rd 
RAC/sHyeRIk+UgMzbxfu4NtP+obeh3QK00acFSWzGq/GOvijub8AiD40 
tMAl8eszWhi6nvRgXgCIbrILJscL0dVZVgUxe4wdJPM9l0t97y8D8/jA 
8RWFSETipEgN9x1SK9OBjCA0+e7Xb1GL5u2XvgZ+47I6t5fI9a2aCTuZ cdjRxA==
gu.edu. 86400   IN  RRSIG   DNSKEY 7 2 86400 20140705183107 
20140628183107 38702 gu.edu. 
I0hR/eirR7oCcWXty592yeHa7ceOePt4h/ktKAMcptlYzxzyVsNZE00p 
JVO2RwTTyc4ROG7IjU4hrlXk47w8cRFh2HlawF/wDbqxrMAJnZl1cR/4 
lNpdpdDCAvXE0YCNE9MDJJ2RlTdK0EKE1/Z6uxvdZwlLSNmdTRQZq3U6 
Er8BrKydIpyaOATGTHEeDVdv6862cp/JnGbyfnPQH8zUqLwjeEwV++q7 
EzdX8009sqoM0qKS+QSKD33rTwfBmgDYX4A4KePCK8VqLg3VFVuMzjLv 
+mlm4QJ7QVxpiKPoiCPDUCw5OPZICl3ZPgbB06FgHHAbqf1USG63Vazg SmTujQ==
gu.edu. 86400   IN  RRSIG   DNSKEY 7 2 86400 20140705183107 
20140628183107 25247 gu.edu. 
E4HC0HzDzSwXhRHCJuPPuLeLAsOs7hjEHqnKxt9SRx4oKOt5g/A33mHZ 
tr7YbGtuf5+5MkPeXaIAAwaywBzkGCFbUVlD6tGEvpDLrm/Cw12w8rfs 
FY0OfvJrovr15ZeH57SswhiLtTuh1NA5WqALxmbENRg/ja9Due86Js6I 
G7ImoajhkD2oSS0QCpwuk+pKv0xpfllawE/pzszL7vcLZSCPmXvsAwr9 
TqmvmP70B+YjnGeNlEFAx1YGgS4urnNIf7/aMSk+sqrFH+1su8Q6zO94 
miiz18q2xbCebSQJoRkf61n84gdVyJ+My4UfQ9sP1um8w4yD+M0i84SZ r02fGg==

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Jim Reid 
On 2 Jul 2014, at 11:29, Mohamed Lrhazi ml...@georgetown.edu wrote:

 I am sure I messed up something, but cant figure out what! Some DNS
 servers, notably Google's, return SERVFAIL, since a couple of days now.

DNSSEC for gu.edu appears to be broken. google's 8.8.8.8 service does DNSSEC 
validation. SERVFAILs get returned when validation fails. FWIW my name servers 
also do DNSSEC validation and they get SERVFAILs for your domain too.

It looks to me like someone/something rolled gu.edu's KSK and forgot to get the 
parent delegation updated. .edu has one DS record for gu.edu which is for a key 
with fingerprint 3078. None of the DNSKEYs in gu.edu have that footprint. This 
makes it impossible to validate any signed data under gu.edu:

% drill -TD gu.edu ns
...
[T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed 
;; Domain: gu.edu.
;; Signature ok but no chain to a trusted key or ds record
[S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b}
gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b}



___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Hauke Lampe 
On 02.07.2014 12:29, Mohamed Lrhazi wrote:
 I am sure I messed up something, but cant figure out what! Some DNS
 servers, notably Google's, return SERVFAIL, since a couple of days now.

DNSSEC validation fails for your domain.

The DS record in .edu refers to a KSK with ID 3078 which doesn't match
either of the two KSK DNSKEYs in gu.edu.

More remarkably, Google Public DNS seems to have DNSSEC validation
enabled by default now, not depending on the query flags anymore.


HTH,
Hauke.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Mohamed Lrhazi 
Fantastic! thanks a lot guys. I had forgotten that I did setup dnssec on
this zone a while back.

Thanks,
Mohamed.


On Wed, Jul 2, 2014 at 7:15 AM, Jim Reid j...@rfc1035.com wrote:

 On 2 Jul 2014, at 11:29, Mohamed Lrhazi ml...@georgetown.edu wrote:

  I am sure I messed up something, but cant figure out what! Some DNS
  servers, notably Google's, return SERVFAIL, since a couple of days now.

 DNSSEC for gu.edu appears to be broken. google's 8.8.8.8 service does
 DNSSEC validation. SERVFAILs get returned when validation fails. FWIW my
 name servers also do DNSSEC validation and they get SERVFAILs for your
 domain too.

 It looks to me like someone/something rolled gu.edu's KSK and forgot to
 get the parent delegation updated. .edu has one DS record for gu.edu
 which is for a key with fingerprint 3078. None of the DNSKEYs in gu.edu
 have that footprint. This makes it impossible to validate any signed data
 under gu.edu:

 % drill -TD gu.edu ns
 ...
 [T] gu.edu. 86400 IN DS 3078 7 1 b4c9fb14d6519c3ece5cc43e80c463d5847d73ed
 ;; Domain: gu.edu.
 ;; Signature ok but no chain to a trusted key or ds record
 [S] gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 35043 (ksk), size = 2048b}
 gu.edu. 86400 IN DNSKEY 257 3 7 ;{id = 39339 (ksk), size = 2048b}
 gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 25247 (zsk), size = 2048b}
 gu.edu. 86400 IN DNSKEY 256 3 7 ;{id = 38702 (zsk), size = 2048b}



___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread bert hubert 
On Wed, Jul 02, 2014 at 06:29:22AM -0400, Mohamed Lrhazi wrote:
 I am sure I messed up something, but cant figure out what! Some DNS
 servers, notably Google's, return SERVFAIL, since a couple of days now.

Mohamed,

I checked most things I can check, and it all looks fine. It may be good to
note that asking ANY queries of a resolver is a recipe for fail, which is
what you try below with 8.8.8.8.  It also fails with an A query, though.

Also, www.gu.edu does not have an IP address in your zone. But then again,
this should not break 'dig -t a gu.edu'.

Your SOA record is a tad weird, but should not break things.

The 'dnssy.com' report that your nameservers have no IP address in your zone
appears to be bogus, at least when seen from here.

Sorry I can't be more helpful!

Bert
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Stephane Bortzmeyer 
On Wed, Jul 02, 2014 at 06:29:22AM -0400,
 Mohamed Lrhazi ml...@georgetown.edu wrote 
 a message of 82 lines which said:

 Some DNS
 servers, notably Google's, return SERVFAIL, 

When using a validating resolver, like Google's, always test *also*
with +cd (Checking Disabled). If it works with +cd and servfails
without, you can be pretty sure it is a DNSSEC problem (see Mark
Andrews' analysis).

 This dns report says the NS records do not have A records... but they do in
 my zone data.
 
 http://www.dnssy.com/report.php?q=gu.edu

A poor tool, specially because it reacts badly when there are IPv6
addresses. For better tools, see the article in
http://www.bortzmeyer.org/tests-dns.html (updates and comments
welcome).
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Mohamed Lrhazi 
So many useful tips, thank you all.

gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
that after a while keys are rolled over and I need to do some work about
it It makes DNSsec easy, but not that easy

Thanks,
Mohamed.


On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer bortzme...@nic.fr
wrote:

 On Wed, Jul 02, 2014 at 12:08:36PM +0100,
  Tony Finch d...@dotat.at wrote
  a message of 25 lines which said:

  Your DS record doesn't match your DNSKEY records.

 The OP could also use the excellent DNSviz:

 http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/

 which rightly says:

 gu.edu/DNSKEY:DS RRs exist for algorithm(s) 7 in the edu zone, but no
 matching DNSKEYs of algorithm(s) 7 were used to sign the gu.edu DNSKEY
 RRset.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Tony Finch 
Mohamed Lrhazi ml...@georgetown.edu wrote:

 gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
 in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
 that after a while keys are rolled over and I need to do some work about
 it

Surely it has an interlock to prevent a KSK rollover going ahead without a
DS change?!

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. Slight
or moderate. Rain for a time. Good, occasionally moderate.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Brett Carr 
It would seem bad that the DNSSEC Implementation in f5’s would complete a KSK 
rollover (IE remove the old key) without some confirmation that the DS had been 
seen in the parent.
Automation gone too far.

Brett

On 2 Jul 2014, at 12:56, Mohamed Lrhazi 
ml...@georgetown.edumailto:ml...@georgetown.edu wrote:

So many useful tips, thank you all.

gu.eduhttp://gu.edu/ is, luckily, a test domain, and not production. I had 
enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I 
have to learn that after a while keys are rolled over and I need to do some 
work about it It makes DNSsec easy, but not that easy

Thanks,
Mohamed.


On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer 
bortzme...@nic.frmailto:bortzme...@nic.fr wrote:
On Wed, Jul 02, 2014 at 12:08:36PM +0100,
 Tony Finch d...@dotat.atmailto:d...@dotat.at wrote
 a message of 25 lines which said:

 Your DS record doesn't match your DNSKEY records.

The OP could also use the excellent DNSviz:

http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/

which rightly says:

gu.edu/DNSKEY:DShttp://gu.edu/DNSKEY:DS RRs exist for algorithm(s) 7 in the 
edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the 
gu.eduhttp://gu.edu/ DNSKEY RRset.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.netmailto:dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Mohamed Lrhazi 
Yeah, it looks like it is the case, as the F5 docs say:

Providing DS records to the parent domain
Each time a new generation of a key-signing key is created, you must provide
the updated DS record to the administrators of the parent zone. For
example, in Figure 10.1
https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm_config_10_2/gtm_dnssec.html?sr=38618833#1016065,
the value of the Rollover Period of the key is 30 days, and the value of
the Expiration Period of the key is 37 days. In the case of a key-signing
key, a new generation of the key is created every 30 days, and you have
seven days before the old generation of the key expires to provide the new
DS record to the administrators of the parent zone. These administrators
sign the new DS record with their own key and upload it their zone.




On Wed, Jul 2, 2014 at 8:44 AM, Brett Carr brett.c...@nominet.org.uk
wrote:

  It would seem bad that the DNSSEC Implementation in f5’s would complete a
 KSK rollover (IE remove the old key) without some confirmation that the DS
 had been seen in the parent.
 Automation gone too far.

  Brett

  On 2 Jul 2014, at 12:56, Mohamed Lrhazi ml...@georgetown.edu wrote:

  So many useful tips, thank you all.

  gu.edu is, luckily, a test domain, and not production. I had enabled
 DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I have to
 learn that after a while keys are rolled over and I need to do some work
 about it It makes DNSsec easy, but not that easy

  Thanks,
 Mohamed.


 On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer bortzme...@nic.fr
 wrote:

 On Wed, Jul 02, 2014 at 12:08:36PM +0100,
  Tony Finch d...@dotat.at wrote
  a message of 25 lines which said:

  Your DS record doesn't match your DNSKEY records.

  The OP could also use the excellent DNSviz:

 http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/

 which rightly says:

 gu.edu/DNSKEY:DS RRs exist for algorithm(s) 7 in the edu zone, but no
 matching DNSKEYs of algorithm(s) 7 were used to sign the gu.edu DNSKEY
 RRset.


  ___
 dns-operations mailing list
 dns-operations@lists.dns-oarc.net
 https://lists.dns-oarc.net/mailman/listinfo/dns-operations
 dns-jobs mailing list
 https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Brett Carr 
However it states and you have seven days” but doesn’t really say what happens 
after the seven days (although i think we know) or how you can delay that. 
Certainly in the case of a TLD where you have to interact with IANA and your 
own admin and tech contacts getting this done in seven days can be a real 
challenge.

Brett


On 2 Jul 2014, at 14:04, Mohamed Lrhazi 
ml...@georgetown.edumailto:ml...@georgetown.edu wrote:

Yeah, it looks like it is the case, as the F5 docs say:

Providing DS records to the parent domain
Each time a new generation of a key-signing key is created, you must provide 
the updated DS record to the administrators of the parent zone. For example, in 
Figure 
10.1https://support.f5.com/kb/en-us/products/big-ip_gtm/manuals/product/gtm_config_10_2/gtm_dnssec.html?sr=38618833#1016065,
 the value of the Rollover Period of the key is 30 days, and the value of the 
Expiration Period of the key is 37 days. In the case of a key-signing key, a 
new generation of the key is created every 30 days, and you have seven days 
before the old generation of the key expires to provide the new DS record to 
the administrators of the parent zone. These administrators sign the new DS 
record with their own key and upload it their zone.




On Wed, Jul 2, 2014 at 8:44 AM, Brett Carr 
brett.c...@nominet.org.ukmailto:brett.c...@nominet.org.uk wrote:
It would seem bad that the DNSSEC Implementation in f5’s would complete a KSK 
rollover (IE remove the old key) without some confirmation that the DS had been 
seen in the parent.
Automation gone too far.

Brett

On 2 Jul 2014, at 12:56, Mohamed Lrhazi 
ml...@georgetown.edumailto:ml...@georgetown.edu wrote:

So many useful tips, thank you all.

gu.eduhttp://gu.edu/ is, luckily, a test domain, and not production. I had 
enabled DNSSec in our F5 GTM front ending DNS, and forgot about it. Seems I 
have to learn that after a while keys are rolled over and I need to do some 
work about it It makes DNSsec easy, but not that easy

Thanks,
Mohamed.


On Wed, Jul 2, 2014 at 7:46 AM, Stephane Bortzmeyer 
bortzme...@nic.frmailto:bortzme...@nic.fr wrote:
On Wed, Jul 02, 2014 at 12:08:36PM +0100,
 Tony Finch d...@dotat.atmailto:d...@dotat.at wrote
 a message of 25 lines which said:

 Your DS record doesn't match your DNSKEY records.

The OP could also use the excellent DNSviz:

http://dnsviz.net/d/gu.edu/U7Pp0g/dnssec/

which rightly says:

gu.edu/DNSKEY:DShttp://gu.edu/DNSKEY:DS RRs exist for algorithm(s) 7 in the 
edu zone, but no matching DNSKEYs of algorithm(s) 7 were used to sign the 
gu.eduhttp://gu.edu/ DNSKEY RRset.

___
dns-operations mailing list
dns-operations@lists.dns-oarc.netmailto:dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Warren Kumari 
On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch d...@dotat.at wrote:
 Mohamed Lrhazi ml...@georgetown.edu wrote:

 gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
 in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
 that after a while keys are rolled over and I need to do some work about
 it

 Surely it has an interlock to prevent a KSK rollover going ahead without a
 DS change?!

Obligatory pointer at document that *should* automate this, and so
prevent bad KSK rolls (if deployed :-)):
https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/

Basically, when the signing tool rolls the key, it publishes the new
key in the zone, the parent (registrar or registry) periodically
scrapes the zone and then publishes the new DS.

Currently with the RFC Editor.

W

(FD: author).


 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. Slight
 or moderate. Rain for a time. Good, occasionally moderate.
 ___
 dns-operations mailing list
 dns-operations@lists.dns-oarc.net
 https://lists.dns-oarc.net/mailman/listinfo/dns-operations
 dns-jobs mailing list
 https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Lawrence K. Chen, P.Eng. 


On 07/02/14 08:22, Warren Kumari wrote:
 On Wed, Jul 2, 2014 at 8:19 AM, Tony Finch d...@dotat.at wrote:
 Mohamed Lrhazi ml...@georgetown.edu wrote:

 gu.edu is, luckily, a test domain, and not production. I had enabled DNSSec
 in our F5 GTM front ending DNS, and forgot about it. Seems I have to learn
 that after a while keys are rolled over and I need to do some work about
 it

 Surely it has an interlock to prevent a KSK rollover going ahead without a
 DS change?!
 
 Obligatory pointer at document that *should* automate this, and so
 prevent bad KSK rolls (if deployed :-)):
 https://datatracker.ietf.org/doc/draft-ietf-dnsop-delegation-trust-maintainance/
 
 Basically, when the signing tool rolls the key, it publishes the new
 key in the zone, the parent (registrar or registry) periodically
 scrapes the zone and then publishes the new DS.
 
 Currently with the RFC Editor.
 
 W
 
 (FD: author).
 

Hmmm, wonder if educause will implement this for us...and can it be done
without involving our business office.

Otherwise, wonder what I could do in my home grown automatation scripts to
check for new DS and somehow extend the rollover time automatically?

Though our next scheduled KSK rollover is a year away, and we have new F5's
that'll be going into service somedaywhere we purchased the better package
for, so I think having the GTM do DNSSEC would take concern of whether we can
satisfy expectations for instant DNS updates when I'm forced to move our
master nameserver from the 16 core physical server into a VM

Last KSK rolloverI had a 31 day windowSo, (Aug 1, 2012) I email the
new DS info to the person that manages our educause account.  And, they
finally put it in on Aug 31st

Except that our key alg is 8 (RSASHA256).  And, they selected 7
(RSASHA1-NSEC3-SHA1) from the dropdown menu.  We're doing NSEC3.

At least I don't get flooded with tickets about us not resolving in various
parts of the world until I get after Labor Day. (the parts that do DNSSEC
validation and don't fallback to DLV)

Since things worked from home where my provider did this, but users on Comcast
were left in the dark

Person that had done the update, had done it just before going on vacation for
a couple of weeks...but was able to fix it from remote


 Tony.
 --
 f.anthony.n.finch  d...@dotat.at  http://dotat.at/
 South Utsire: Westerly 3 or 4, backing southwesterly 5 or 6 for a time. 
 Slight
 or moderate. Rain for a time. Good, occasionally moderate.


-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) --  SafeZone Ally
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Re: [dns-operations] What's wrong with my domain?

2014-07-02 Thread Jorge Fábregas 
On 07/02/2014 04:54 PM, Lawrence K. Chen, P.Eng. wrote:
 Otherwise, wonder what I could do in my home grown automation scripts to
 check for new DS and somehow extend the rollover time automatically?

If there's no such automation in place (parent monitoring child for new
KSK in order to update its DS records) I wouldn't use an automated KSK
rollover.  I'd do it manually (KSK double-signature rollover) when the
time arrives.  That way I'm in control (e.g. I won't delete old KSK
until I make sure parent has new DS  wait for the old DS' TTL time).

I really think this is the best approach when there's no such
automation.  If there's a better way I'd be glad to hear it (I'm staring
out with DNSSEC :)

Regards,
Jorge
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs