Closed Bug 602424 Opened 14 years ago Closed 10 years ago

Implement DNSSEC for mozilla.com

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

x86
Linux
task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: fox2mike, Assigned: bhourigan)

References

Details

+++ This bug was initially created as a clone of Bug #602423 +++

+++ This bug was initially created as a clone of Bug #586580 +++

Q4 goal for IT, I'm running point on this and so filing a bug for tracking.

.com isn't signed yet, so this will be an island of trust + ISC's dlv.
Whiteboard: [q4] → [q4] - dec.
Whiteboard: [q4] - dec. → [q1] carryover
Component: Server Operations → Server Operations: Projects
Whiteboard: [q1] carryover → [q1] [after ffx4]
 (In reply to comment #0)
> .com isn't signed yet

.com is since today properly signed in root:

$ host -t ds com.
com has DS record 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766


Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug 586580) but also for mozilla.COM (this bug) - especially since many of the mozilla.ORG pages actually point to mozilla.COM: For instance:

bugzilla.mozilla.org is an alias for bugzilla-mozilla-org.geo.mozilla.com.
bugzilla-mozilla-org.geo.mozilla.com is an alias for dyna-bugzilla.nslb.sj.mozilla.com.
dyna-bugzilla.nslb.sj.mozilla.com has address 63.245.209.72
We will get this setup early in Q2
Whiteboard: [q1] [after ffx4] → [q2]
 
> Thus, it would be useful to have not only DNSSEC for mozilla.ORG (fixed bug
> 586580) but also for mozilla.COM (this bug) - especially since many of the
> mozilla.ORG pages actually point to mozilla.COM: For instance:

And for this same reason we are going to take our time in the rollout so we minimize any negative impact/compatibility issues.  There are also several initiatives we have in motion related to DNS and this is one of them.
@Tobias some of the complication here is that not all of the systems we have support DNSSEC (geo.mozilla.com for instance).  As Ravi pointed out, there's some infrastructure work that has to take place.
Issues related to bug 647254 are a good example of why we want to do a strategic rollout.
(In reply to comment #0)
> .com isn't signed yet, so this will be an island of trust + ISC's dlv.

.com is now signed, so removing the "island of trust" bit.  Once we have all the pieces in place for this we can do it for real now.
Summary: Implement DNSSEC (island of trust + dlv) for mozilla.com → Implement DNSSEC for mozilla.com
Component: Server Operations: Projects → Server Operations
Alright, we've started signing zones now for mozilla.com and will (probably in 24 hours) start pushing those out to our nameservers as well, before sending DS records to our registrar.
(In reply to comment #7)
> Alright, we've started signing zones now for mozilla.com and will (probably
> in 24 hours) start pushing those out to our nameservers as well

Thanks! However, what's the current status? I couldn't find signed zones a week after the quoted announcement.
The announcement stated we would begin to publish the signed zones to our nameservers at 2200 PST (0500 UTC) Tuesday, May 24.  I would wait 24h to see them in the wild.
We've started pushing these out now :

fox2mike@woodpecker ~ $ dig @4.2.2.2 +dnssec DNSKEY mozilla.com

; <<>> DiG 9.4.3-P5 <<>> @4.2.2.2 +dnssec DNSKEY mozilla.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39987
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mozilla.com.			IN	DNSKEY

;; ANSWER SECTION:
mozilla.com.		600	IN	DNSKEY	257 3 7 AwEAAbkxVPAP5UhOF4FmeKPlkXUkBZNxNIzeKZTykGJ9hFx6ml1FU2bv F7PAKf6qHJBm86uoTB2UzPiGbNSdV6rgE1T1RIX8cGt3iOATp3wNHh40 gBh9RqFZGnUZOLNJzkoVvhQnvgo5nZBG4rfrMF9UpXs/EbAByduG6KiV SbXyrIWwgKumNr42uewGQjoFYisqFGf63ChfikverqEyvolxGewmeXKN th2+82NDy3fG1g9qF2sEf5ea1LzCv0PkSDqj5rzJcBFdEeJCHNLDMNAB DAMG+tj/J2+06DeizRTi2dCsXad+lKVVjhKymP6EL8AEtx/b3E6vfO6d lIzHqugcLD8=
mozilla.com.		600	IN	DNSKEY	256 3 7 AwEAAa59e7KmG9RjQAO0bpT+gXo8Xn7wO//pr0jdj9zGkARj4E2LTcLo E6jlK4PpPpCylTTI3MGz9M/+lgF2+R8K/zCmMKDC3Pc0z0CzLT35NagY tMEpUrkxGbsJESEGUVXvxKinDfAg8KgK265rHIX9XKWraUErDCrxZKbi gEF27zH/
mozilla.com.		600	IN	DNSKEY	256 3 7 AwEAAcWr34hxlz7JiCPRO8OMSVV4vechtcXmzMLts1N90tkXN3Tca0I/ vh1b8ECYrzNBZaxFGFnHuFuXSUcFdPYF227rLK7Fy6cBW1Um24cJJwGe SjUN6PS7SIukdlTeBvXms7qhuHJAQdkwmZ5rAde/clKgjwY+BPDGKuZD lqbAZ+pt
mozilla.com.		600	IN	RRSIG	DNSKEY 7 2 600 20110624063242 20110525063825 32717 mozilla.com. hX5lY44lr1hj3HMRU5wPfIbpCLJXGKkzTzmgiQe8gs8ePO230hIzVDtw HVwn6NlkRxiYSf8mrytBfZ0BS0M1VGWybzBFZGGF/pEKrfVunpSxcM2L PsUVFl6V+TrZoFsGyO4CEJN5jGFhspgWaIFJIukqBRY70n4EZ0yU8GfJ Jio=
mozilla.com.		600	IN	RRSIG	DNSKEY 7 2 600 20110624063638 20110525063825 31809 mozilla.com. S+jKWGbmrr8ikONWBp99/FYwtGXWst4UVxAe045KltfYweP6f6r2wGMn CRJlwLhC/Jf6Ninjo/xGsOj+/LxjKxhd+vDFcPEkZN0W2Ojh3AWee8hj cqlYBpLKrGQfWQRIokgAsO04xrajSdCaCUGCvpDvYwpseAT2hA7qe5Rl b+gTC3YwPNDktiNl6DQml6/mJW5iva5JYSHfux4Q9NwRa2IOy2M36Ghj XPI+Qm3g2uZl6R0k5dTX78iSnBXK4hfybFzCbJD6Eahxga+Q+JgCaYzr xYREdQ7EAUjG8FbJQHAbzQwGyF9Mx3DscFw0aOB1GSpddz02CCK//6S6 DruBCQ==
(In reply to comment #8)

> Thanks! However, what's the current status? I couldn't find signed zones a
> week after the quoted announcement.

That was delayed, because we decided to announce it...

http://blog.mozilla.com/it/2011/05/19/mozilla-change-notification-dnssec-%e2%80%93-05242011-10pm-pdt-05252011-0500-utc/
(In reply to comment #11)
> (In reply to comment #8)
> That was delayed, because we decided to announce it...

"Tuesday, May 24 at 10pm PDT (0500 UTC) DNSSEC Deployment"

"We will monitor this for 24 hours before submitting the respective DS keys to our registrar."

Seems to work rather flawlessly (as user), do you plan to push it?
(In reply to comment #12)

> Seems to work rather flawlessly (as user), do you plan to push it?

We do, but have some operational issues to iron out. I'm not going to rush this and have validation failures, it's far more prudent to take some time and think things through (and if I hadn't waited this long, I wouldn't have caught the current thing we're working to fix).
This will have to wait until we upgrade the Zeus GLBs we use to Zeus MSMs which are DNSSEC capable since the glb.mozilla.net domains are handled by global load balancers for DNS and doing this before hand will break validation.
Whiteboard: [q2] → Waiting on Zeus GLB -> MSM [q2]
Depends on: 663878
Whiteboard: Waiting on Zeus GLB -> MSM [q2]
Upto Jabba's team to decide if we're moving forward with this.
Assignee: shyam → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: mrz → jdow
Severity: normal → enhancement
Assignee: server-ops-infra → bhourigan
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Component: Infrastructure: Other → Infrastructure: DNS
We're now publishing DS records at MarkMonitor for mozilla.com. Verified DNSSEC validation:

OK - http://dnssec-debugger.verisignlabs.com/mozilla.com
OK - http://dns.comcast.net/index.php/tools/cachecheck
OK - dig @8.8.8.8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Rolled this change back due to some concerns from the services team. We'll track updates in 948810.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
We need services buy in with inventory, otherwise, this bug is not technically possible. R/WF until then.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.