+++ This bug was initially created as a clone of Bug #602423 +++ +++ This bug was initially created as a clone of Bug #586580 +++ Q4 goal for IT, I'm running point on this and so filing a bug for tracking. .com isn't signed yet, so this will be an island of trust + ISC's dlv.
(In reply to comment #0) > .com isn't signed yet .com is since today properly signed in root: $ host -t ds com. com has DS record 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug 586580) but also for mozilla.COM (this bug) - especially since many of the mozilla.ORG pages actually point to mozilla.COM: For instance: bugzilla.mozilla.org is an alias for bugzilla-mozilla-org.geo.mozilla.com. bugzilla-mozilla-org.geo.mozilla.com is an alias for dyna-bugzilla.nslb.sj.mozilla.com. dyna-bugzilla.nslb.sj.mozilla.com has address 18.104.22.168
We will get this setup early in Q2
> Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug > 586580) but also for mozilla.COM (this bug) - especially since many of the > mozilla.ORG pages actually point to mozilla.COM: For instance: And for this same reason we are going to take our time in the rollout so we minimize any negative impact/compatibility issues. There are also several initiatives we have in motion related to DNS and this is one of them.
@Tobias some of the complication here is that not all of the systems we have support DNSSEC (geo.mozilla.com for instance). As Ravi pointed out, there's some infrastructure work that has to take place.
Issues related to bug 647254 are a good example of why we want to do a strategic rollout.
(In reply to comment #0) > .com isn't signed yet, so this will be an island of trust + ISC's dlv. .com is now signed, so removing the "island of trust" bit. Once we have all the pieces in place for this we can do it for real now.
Alright, we've started signing zones now for mozilla.com and will (probably in 24 hours) start pushing those out to our nameservers as well, before sending DS records to our registrar.
(In reply to comment #7) > Alright, we've started signing zones now for mozilla.com and will (probably > in 24 hours) start pushing those out to our nameservers as well Thanks! However, what's the current status? I couldn't find signed zones a week after the quoted announcement.
The announcement stated we would begin to publish the signed zones to our nameservers at 2200 PST (0500 UTC) Tuesday, May 24. I would wait 24h to see them in the wild.
We've started pushing these out now : fox2mike@woodpecker ~ $ dig @22.214.171.124 +dnssec DNSKEY mozilla.com ; <<>> DiG 9.4.3-P5 <<>> @126.96.36.199 +dnssec DNSKEY mozilla.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39987 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;mozilla.com. IN DNSKEY ;; ANSWER SECTION: mozilla.com. 600 IN DNSKEY 257 3 7 AwEAAbkxVPAP5UhOF4FmeKPlkXUkBZNxNIzeKZTykGJ9hFx6ml1FU2bv F7PAKf6qHJBm86uoTB2UzPiGbNSdV6rgE1T1RIX8cGt3iOATp3wNHh40 gBh9RqFZGnUZOLNJzkoVvhQnvgo5nZBG4rfrMF9UpXs/EbAByduG6KiV SbXyrIWwgKumNr42uewGQjoFYisqFGf63ChfikverqEyvolxGewmeXKN th2+82NDy3fG1g9qF2sEf5ea1LzCv0PkSDqj5rzJcBFdEeJCHNLDMNAB DAMG+tj/J2+06DeizRTi2dCsXad+lKVVjhKymP6EL8AEtx/b3E6vfO6d lIzHqugcLD8= mozilla.com. 600 IN DNSKEY 256 3 7 AwEAAa59e7KmG9RjQAO0bpT+gXo8Xn7wO//pr0jdj9zGkARj4E2LTcLo E6jlK4PpPpCylTTI3MGz9M/+lgF2+R8K/zCmMKDC3Pc0z0CzLT35NagY tMEpUrkxGbsJESEGUVXvxKinDfAg8KgK265rHIX9XKWraUErDCrxZKbi gEF27zH/ mozilla.com. 600 IN DNSKEY 256 3 7 AwEAAcWr34hxlz7JiCPRO8OMSVV4vechtcXmzMLts1N90tkXN3Tca0I/ vh1b8ECYrzNBZaxFGFnHuFuXSUcFdPYF227rLK7Fy6cBW1Um24cJJwGe SjUN6PS7SIukdlTeBvXms7qhuHJAQdkwmZ5rAde/clKgjwY+BPDGKuZD lqbAZ+pt mozilla.com. 600 IN RRSIG DNSKEY 7 2 600 20110624063242 20110525063825 32717 mozilla.com. hX5lY44lr1hj3HMRU5wPfIbpCLJXGKkzTzmgiQe8gs8ePO230hIzVDtw HVwn6NlkRxiYSf8mrytBfZ0BS0M1VGWybzBFZGGF/pEKrfVunpSxcM2L PsUVFl6V+TrZoFsGyO4CEJN5jGFhspgWaIFJIukqBRY70n4EZ0yU8GfJ Jio= mozilla.com. 600 IN RRSIG DNSKEY 7 2 600 20110624063638 20110525063825 31809 mozilla.com. S+jKWGbmrr8ikONWBp99/FYwtGXWst4UVxAe045KltfYweP6f6r2wGMn CRJlwLhC/Jf6Ninjo/xGsOj+/LxjKxhd+vDFcPEkZN0W2Ojh3AWee8hj cqlYBpLKrGQfWQRIokgAsO04xrajSdCaCUGCvpDvYwpseAT2hA7qe5Rl b+gTC3YwPNDktiNl6DQml6/mJW5iva5JYSHfux4Q9NwRa2IOy2M36Ghj XPI+Qm3g2uZl6R0k5dTX78iSnBXK4hfybFzCbJD6Eahxga+Q+JgCaYzr xYREdQ7EAUjG8FbJQHAbzQwGyF9Mx3DscFw0aOB1GSpddz02CCK//6S6 DruBCQ==
(In reply to comment #8) > Thanks! However, what's the current status? I couldn't find signed zones a > week after the quoted announcement. That was delayed, because we decided to announce it... http://blog.mozilla.com/it/2011/05/19/mozilla-change-notification-dnssec-%e2%80%93-05242011-10pm-pdt-05252011-0500-utc/
(In reply to comment #11) > (In reply to comment #8) > That was delayed, because we decided to announce it... "Tuesday, May 24 at 10pm PDT (0500 UTC) DNSSEC Deployment" "We will monitor this for 24 hours before submitting the respective DS keys to our registrar." Seems to work rather flawlessly (as user), do you plan to push it?
(In reply to comment #12) > Seems to work rather flawlessly (as user), do you plan to push it? We do, but have some operational issues to iron out. I'm not going to rush this and have validation failures, it's far more prudent to take some time and think things through (and if I hadn't waited this long, I wouldn't have caught the current thing we're working to fix).
This will have to wait until we upgrade the Zeus GLBs we use to Zeus MSMs which are DNSSEC capable since the glb.mozilla.net domains are handled by global load balancers for DNS and doing this before hand will break validation.
Upto Jabba's team to decide if we're moving forward with this.
We're now publishing DS records at MarkMonitor for mozilla.com. Verified DNSSEC validation: OK - http://dnssec-debugger.verisignlabs.com/mozilla.com OK - http://dns.comcast.net/index.php/tools/cachecheck OK - dig @188.8.131.52
Rolled this change back due to some concerns from the services team. We'll track updates in 948810.
We need services buy in with inventory, otherwise, this bug is not technically possible. R/WF until then.