Closed
Bug 602424
Opened 14 years ago
Closed 10 years ago
Implement DNSSEC for mozilla.com
Categories
(Infrastructure & Operations :: DNS and Domain Registration, task)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: fox2mike, Assigned: bhourigan)
References
Details
+++ This bug was initially created as a clone of Bug #602423 +++ +++ This bug was initially created as a clone of Bug #586580 +++ Q4 goal for IT, I'm running point on this and so filing a bug for tracking. .com isn't signed yet, so this will be an island of trust + ISC's dlv.
Updated•14 years ago
|
Whiteboard: [q4] → [q4] - dec.
Reporter | ||
Updated•13 years ago
|
Whiteboard: [q4] - dec. → [q1] carryover
Updated•13 years ago
|
Component: Server Operations → Server Operations: Projects
Whiteboard: [q1] carryover → [q1] [after ffx4]
Comment 1•13 years ago
|
||
(In reply to comment #0) > .com isn't signed yet .com is since today properly signed in root: $ host -t ds com. com has DS record 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug 586580) but also for mozilla.COM (this bug) - especially since many of the mozilla.ORG pages actually point to mozilla.COM: For instance: bugzilla.mozilla.org is an alias for bugzilla-mozilla-org.geo.mozilla.com. bugzilla-mozilla-org.geo.mozilla.com is an alias for dyna-bugzilla.nslb.sj.mozilla.com. dyna-bugzilla.nslb.sj.mozilla.com has address 63.245.209.72
Comment 3•13 years ago
|
||
> Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug
> 586580) but also for mozilla.COM (this bug) - especially since many of the
> mozilla.ORG pages actually point to mozilla.COM: For instance:
And for this same reason we are going to take our time in the rollout so we minimize any negative impact/compatibility issues. There are also several initiatives we have in motion related to DNS and this is one of them.
Comment 4•13 years ago
|
||
@Tobias some of the complication here is that not all of the systems we have support DNSSEC (geo.mozilla.com for instance). As Ravi pointed out, there's some infrastructure work that has to take place.
Comment 5•13 years ago
|
||
Issues related to bug 647254 are a good example of why we want to do a strategic rollout.
Comment 6•13 years ago
|
||
(In reply to comment #0) > .com isn't signed yet, so this will be an island of trust + ISC's dlv. .com is now signed, so removing the "island of trust" bit. Once we have all the pieces in place for this we can do it for real now.
Summary: Implement DNSSEC (island of trust + dlv) for mozilla.com → Implement DNSSEC for mozilla.com
Reporter | ||
Updated•13 years ago
|
Component: Server Operations: Projects → Server Operations
Reporter | ||
Comment 7•13 years ago
|
||
Alright, we've started signing zones now for mozilla.com and will (probably in 24 hours) start pushing those out to our nameservers as well, before sending DS records to our registrar.
Comment 8•13 years ago
|
||
(In reply to comment #7) > Alright, we've started signing zones now for mozilla.com and will (probably > in 24 hours) start pushing those out to our nameservers as well Thanks! However, what's the current status? I couldn't find signed zones a week after the quoted announcement.
Comment 9•13 years ago
|
||
The announcement stated we would begin to publish the signed zones to our nameservers at 2200 PST (0500 UTC) Tuesday, May 24. I would wait 24h to see them in the wild.
Reporter | ||
Comment 10•13 years ago
|
||
We've started pushing these out now : fox2mike@woodpecker ~ $ dig @4.2.2.2 +dnssec DNSKEY mozilla.com ; <<>> DiG 9.4.3-P5 <<>> @4.2.2.2 +dnssec DNSKEY mozilla.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39987 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mozilla.com. IN DNSKEY ;; ANSWER SECTION: mozilla.com. 600 IN DNSKEY 257 3 7 AwEAAbkxVPAP5UhOF4FmeKPlkXUkBZNxNIzeKZTykGJ9hFx6ml1FU2bv F7PAKf6qHJBm86uoTB2UzPiGbNSdV6rgE1T1RIX8cGt3iOATp3wNHh40 gBh9RqFZGnUZOLNJzkoVvhQnvgo5nZBG4rfrMF9UpXs/EbAByduG6KiV SbXyrIWwgKumNr42uewGQjoFYisqFGf63ChfikverqEyvolxGewmeXKN th2+82NDy3fG1g9qF2sEf5ea1LzCv0PkSDqj5rzJcBFdEeJCHNLDMNAB DAMG+tj/J2+06DeizRTi2dCsXad+lKVVjhKymP6EL8AEtx/b3E6vfO6d lIzHqugcLD8= mozilla.com. 600 IN DNSKEY 256 3 7 AwEAAa59e7KmG9RjQAO0bpT+gXo8Xn7wO//pr0jdj9zGkARj4E2LTcLo E6jlK4PpPpCylTTI3MGz9M/+lgF2+R8K/zCmMKDC3Pc0z0CzLT35NagY tMEpUrkxGbsJESEGUVXvxKinDfAg8KgK265rHIX9XKWraUErDCrxZKbi gEF27zH/ mozilla.com. 600 IN DNSKEY 256 3 7 AwEAAcWr34hxlz7JiCPRO8OMSVV4vechtcXmzMLts1N90tkXN3Tca0I/ vh1b8ECYrzNBZaxFGFnHuFuXSUcFdPYF227rLK7Fy6cBW1Um24cJJwGe SjUN6PS7SIukdlTeBvXms7qhuHJAQdkwmZ5rAde/clKgjwY+BPDGKuZD lqbAZ+pt mozilla.com. 600 IN RRSIG DNSKEY 7 2 600 20110624063242 20110525063825 32717 mozilla.com. hX5lY44lr1hj3HMRU5wPfIbpCLJXGKkzTzmgiQe8gs8ePO230hIzVDtw HVwn6NlkRxiYSf8mrytBfZ0BS0M1VGWybzBFZGGF/pEKrfVunpSxcM2L PsUVFl6V+TrZoFsGyO4CEJN5jGFhspgWaIFJIukqBRY70n4EZ0yU8GfJ Jio= mozilla.com. 600 IN RRSIG DNSKEY 7 2 600 20110624063638 20110525063825 31809 mozilla.com. S+jKWGbmrr8ikONWBp99/FYwtGXWst4UVxAe045KltfYweP6f6r2wGMn CRJlwLhC/Jf6Ninjo/xGsOj+/LxjKxhd+vDFcPEkZN0W2Ojh3AWee8hj cqlYBpLKrGQfWQRIokgAsO04xrajSdCaCUGCvpDvYwpseAT2hA7qe5Rl b+gTC3YwPNDktiNl6DQml6/mJW5iva5JYSHfux4Q9NwRa2IOy2M36Ghj XPI+Qm3g2uZl6R0k5dTX78iSnBXK4hfybFzCbJD6Eahxga+Q+JgCaYzr xYREdQ7EAUjG8FbJQHAbzQwGyF9Mx3DscFw0aOB1GSpddz02CCK//6S6 DruBCQ==
Reporter | ||
Comment 11•13 years ago
|
||
(In reply to comment #8) > Thanks! However, what's the current status? I couldn't find signed zones a > week after the quoted announcement. That was delayed, because we decided to announce it... http://blog.mozilla.com/it/2011/05/19/mozilla-change-notification-dnssec-%e2%80%93-05242011-10pm-pdt-05252011-0500-utc/
Comment 12•13 years ago
|
||
(In reply to comment #11) > (In reply to comment #8) > That was delayed, because we decided to announce it... "Tuesday, May 24 at 10pm PDT (0500 UTC) DNSSEC Deployment" "We will monitor this for 24 hours before submitting the respective DS keys to our registrar." Seems to work rather flawlessly (as user), do you plan to push it?
Reporter | ||
Comment 13•13 years ago
|
||
(In reply to comment #12) > Seems to work rather flawlessly (as user), do you plan to push it? We do, but have some operational issues to iron out. I'm not going to rush this and have validation failures, it's far more prudent to take some time and think things through (and if I hadn't waited this long, I wouldn't have caught the current thing we're working to fix).
Reporter | ||
Comment 14•13 years ago
|
||
This will have to wait until we upgrade the Zeus GLBs we use to Zeus MSMs which are DNSSEC capable since the glb.mozilla.net domains are handled by global load balancers for DNS and doing this before hand will break validation.
Whiteboard: [q2] → Waiting on Zeus GLB -> MSM [q2]
Reporter | ||
Updated•12 years ago
|
Whiteboard: Waiting on Zeus GLB -> MSM [q2]
Reporter | ||
Comment 15•12 years ago
|
||
Upto Jabba's team to decide if we're moving forward with this.
Assignee: shyam → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: mrz → jdow
Reporter | ||
Updated•12 years ago
|
Severity: normal → enhancement
Updated•12 years ago
|
Assignee: server-ops-infra → bhourigan
Updated•11 years ago
|
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Updated•11 years ago
|
Component: Infrastructure: Other → Infrastructure: DNS
Assignee | ||
Comment 16•10 years ago
|
||
We're now publishing DS records at MarkMonitor for mozilla.com. Verified DNSSEC validation: OK - http://dnssec-debugger.verisignlabs.com/mozilla.com OK - http://dns.comcast.net/index.php/tools/cachecheck OK - dig @8.8.8.8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 17•10 years ago
|
||
Rolled this change back due to some concerns from the services team. We'll track updates in 948810.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 18•10 years ago
|
||
We need services buy in with inventory, otherwise, this bug is not technically possible. R/WF until then.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•