Last Comment Bug 602424 - Implement DNSSEC for mozilla.com
: Implement DNSSEC for mozilla.com
Status: RESOLVED WONTFIX
:
Product: Infrastructure & Operations
Classification: Other
Component: Infrastructure: DNS (show other bugs)
: other
: x86 Linux
: -- enhancement with 2 votes (vote)
: ---
Assigned To: Brian Hourigan [:digi]
: Justin Dow [:jabba]
Mentors:
: 948810 (view as bug list)
Depends on: 663878 948810
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-06 20:36 PDT by Shyam Mani [:fox2mike]
Modified: 2014-10-06 07:24 PDT (History)
14 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---
Cab Review: ServiceNow Change Request (use flag)


Attachments

Description Shyam Mani [:fox2mike] 2010-10-06 20:36:30 PDT
+++ This bug was initially created as a clone of Bug #602423 +++

+++ This bug was initially created as a clone of Bug #586580 +++

Q4 goal for IT, I'm running point on this and so filing a bug for tracking.

.com isn't signed yet, so this will be an island of trust + ISC's dlv.
Comment 1 Tobias Burnus 2011-03-31 11:39:24 PDT
 (In reply to comment #0)
> .com isn't signed yet

.com is since today properly signed in root:

$ host -t ds com.
com has DS record 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766


Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug 586580) but also for mozilla.COM (this bug) - especially since many of the mozilla.ORG pages actually point to mozilla.COM: For instance:

bugzilla.mozilla.org is an alias for bugzilla-mozilla-org.geo.mozilla.com.
bugzilla-mozilla-org.geo.mozilla.com is an alias for dyna-bugzilla.nslb.sj.mozilla.com.
dyna-bugzilla.nslb.sj.mozilla.com has address 63.245.209.72
Comment 2 Corey Shields [:cshields] 2011-03-31 11:43:43 PDT
We will get this setup early in Q2
Comment 3 Ravi Pina [:ravi] 2011-03-31 11:49:35 PDT
 
> Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug
> 586580) but also for mozilla.COM (this bug) - especially since many of the
> mozilla.ORG pages actually point to mozilla.COM: For instance:

And for this same reason we are going to take our time in the rollout so we minimize any negative impact/compatibility issues.  There are also several initiatives we have in motion related to DNS and this is one of them.
Comment 4 matthew zeier [:mrz] 2011-03-31 12:27:32 PDT
@Tobias some of the complication here is that not all of the systems we have support DNSSEC (geo.mozilla.com for instance).  As Ravi pointed out, there's some infrastructure work that has to take place.
Comment 5 Ravi Pina [:ravi] 2011-04-02 12:58:25 PDT
Issues related to bug 647254 are a good example of why we want to do a strategic rollout.
Comment 6 Dave Miller [:justdave] (justdave@bugzilla.org) 2011-04-02 13:21:04 PDT
(In reply to comment #0)
> .com isn't signed yet, so this will be an island of trust + ISC's dlv.

.com is now signed, so removing the "island of trust" bit.  Once we have all the pieces in place for this we can do it for real now.
Comment 7 Shyam Mani [:fox2mike] 2011-05-18 05:02:40 PDT
Alright, we've started signing zones now for mozilla.com and will (probably in 24 hours) start pushing those out to our nameservers as well, before sending DS records to our registrar.
Comment 8 Tobias Burnus 2011-05-24 22:55:50 PDT
(In reply to comment #7)
> Alright, we've started signing zones now for mozilla.com and will (probably
> in 24 hours) start pushing those out to our nameservers as well

Thanks! However, what's the current status? I couldn't find signed zones a week after the quoted announcement.
Comment 9 Ravi Pina [:ravi] 2011-05-24 23:49:57 PDT
The announcement stated we would begin to publish the signed zones to our nameservers at 2200 PST (0500 UTC) Tuesday, May 24.  I would wait 24h to see them in the wild.
Comment 10 Shyam Mani [:fox2mike] 2011-05-25 02:35:07 PDT
We've started pushing these out now :

fox2mike@woodpecker ~ $ dig @4.2.2.2 +dnssec DNSKEY mozilla.com

; <<>> DiG 9.4.3-P5 <<>> @4.2.2.2 +dnssec DNSKEY mozilla.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39987
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mozilla.com.			IN	DNSKEY

;; ANSWER SECTION:
mozilla.com.		600	IN	DNSKEY	257 3 7 AwEAAbkxVPAP5UhOF4FmeKPlkXUkBZNxNIzeKZTykGJ9hFx6ml1FU2bv F7PAKf6qHJBm86uoTB2UzPiGbNSdV6rgE1T1RIX8cGt3iOATp3wNHh40 gBh9RqFZGnUZOLNJzkoVvhQnvgo5nZBG4rfrMF9UpXs/EbAByduG6KiV SbXyrIWwgKumNr42uewGQjoFYisqFGf63ChfikverqEyvolxGewmeXKN th2+82NDy3fG1g9qF2sEf5ea1LzCv0PkSDqj5rzJcBFdEeJCHNLDMNAB DAMG+tj/J2+06DeizRTi2dCsXad+lKVVjhKymP6EL8AEtx/b3E6vfO6d lIzHqugcLD8=
mozilla.com.		600	IN	DNSKEY	256 3 7 AwEAAa59e7KmG9RjQAO0bpT+gXo8Xn7wO//pr0jdj9zGkARj4E2LTcLo E6jlK4PpPpCylTTI3MGz9M/+lgF2+R8K/zCmMKDC3Pc0z0CzLT35NagY tMEpUrkxGbsJESEGUVXvxKinDfAg8KgK265rHIX9XKWraUErDCrxZKbi gEF27zH/
mozilla.com.		600	IN	DNSKEY	256 3 7 AwEAAcWr34hxlz7JiCPRO8OMSVV4vechtcXmzMLts1N90tkXN3Tca0I/ vh1b8ECYrzNBZaxFGFnHuFuXSUcFdPYF227rLK7Fy6cBW1Um24cJJwGe SjUN6PS7SIukdlTeBvXms7qhuHJAQdkwmZ5rAde/clKgjwY+BPDGKuZD lqbAZ+pt
mozilla.com.		600	IN	RRSIG	DNSKEY 7 2 600 20110624063242 20110525063825 32717 mozilla.com. hX5lY44lr1hj3HMRU5wPfIbpCLJXGKkzTzmgiQe8gs8ePO230hIzVDtw HVwn6NlkRxiYSf8mrytBfZ0BS0M1VGWybzBFZGGF/pEKrfVunpSxcM2L PsUVFl6V+TrZoFsGyO4CEJN5jGFhspgWaIFJIukqBRY70n4EZ0yU8GfJ Jio=
mozilla.com.		600	IN	RRSIG	DNSKEY 7 2 600 20110624063638 20110525063825 31809 mozilla.com. S+jKWGbmrr8ikONWBp99/FYwtGXWst4UVxAe045KltfYweP6f6r2wGMn CRJlwLhC/Jf6Ninjo/xGsOj+/LxjKxhd+vDFcPEkZN0W2Ojh3AWee8hj cqlYBpLKrGQfWQRIokgAsO04xrajSdCaCUGCvpDvYwpseAT2hA7qe5Rl b+gTC3YwPNDktiNl6DQml6/mJW5iva5JYSHfux4Q9NwRa2IOy2M36Ghj XPI+Qm3g2uZl6R0k5dTX78iSnBXK4hfybFzCbJD6Eahxga+Q+JgCaYzr xYREdQ7EAUjG8FbJQHAbzQwGyF9Mx3DscFw0aOB1GSpddz02CCK//6S6 DruBCQ==
Comment 11 Shyam Mani [:fox2mike] 2011-05-25 02:36:44 PDT
(In reply to comment #8)

> Thanks! However, what's the current status? I couldn't find signed zones a
> week after the quoted announcement.

That was delayed, because we decided to announce it...

http://blog.mozilla.com/it/2011/05/19/mozilla-change-notification-dnssec-%e2%80%93-05242011-10pm-pdt-05252011-0500-utc/
Comment 12 Tobias Burnus 2011-05-30 06:00:16 PDT
(In reply to comment #11)
> (In reply to comment #8)
> That was delayed, because we decided to announce it...

"Tuesday, May 24 at 10pm PDT (0500 UTC) DNSSEC Deployment"

"We will monitor this for 24 hours before submitting the respective DS keys to our registrar."

Seems to work rather flawlessly (as user), do you plan to push it?
Comment 13 Shyam Mani [:fox2mike] 2011-06-01 00:03:46 PDT
(In reply to comment #12)

> Seems to work rather flawlessly (as user), do you plan to push it?

We do, but have some operational issues to iron out. I'm not going to rush this and have validation failures, it's far more prudent to take some time and think things through (and if I hadn't waited this long, I wouldn't have caught the current thing we're working to fix).
Comment 14 Shyam Mani [:fox2mike] 2011-06-13 10:26:36 PDT
This will have to wait until we upgrade the Zeus GLBs we use to Zeus MSMs which are DNSSEC capable since the glb.mozilla.net domains are handled by global load balancers for DNS and doing this before hand will break validation.
Comment 15 Shyam Mani [:fox2mike] 2012-09-10 02:38:24 PDT
Upto Jabba's team to decide if we're moving forward with this.
Comment 16 Brian Hourigan [:digi] 2013-12-14 17:42:02 PST
We're now publishing DS records at MarkMonitor for mozilla.com. Verified DNSSEC validation:

OK - http://dnssec-debugger.verisignlabs.com/mozilla.com
OK - http://dns.comcast.net/index.php/tools/cachecheck
OK - dig @8.8.8.8
Comment 17 Brian Hourigan [:digi] 2013-12-16 09:17:38 PST
Rolled this change back due to some concerns from the services team. We'll track updates in 948810.
Comment 18 Brian Hourigan [:digi] 2014-06-17 07:25:53 PDT
We need services buy in with inventory, otherwise, this bug is not technically possible. R/WF until then.
Comment 19 Brian Hourigan [:digi] 2014-06-17 07:26:24 PDT
*** Bug 948810 has been marked as a duplicate of this bug. ***
Comment 20 Curtis Koenig [:curtisk-use curtis.koenig+bzATgmail.com]] 2014-10-06 07:24:11 PDT
*** Bug 1077847 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.