Closed Bug 872927 Opened 11 years ago Closed 11 years ago

monitoring: add full validation of dnssec-signed zones

Categories

(Infrastructure & Operations :: DNS and Domain Registration, task)

Product:
Infrastructure & Operations
Component:
DNS and Domain Registration
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Atoll, Assigned: bhourigan)

References

Details

During the ZSK and KSK rotation, we encountered DNSSEC validation issues with the published records. It would be useful to set up (ideally external) monitoring of our DNSSEC zones to ensure that they're validating correctly.

We found that the dnsviz tool [1] was able to identify issues realtime, without any interference from DNS caches.

(If this service is provided by Akamai, then this bug would be resolved by some sort of link between our monitoring and Akamai's.)
Group: infra
Punting over to infra to figure out how we'd do it. The SREs can help implement.
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow
Assignee: server-ops-infra → bhourigan
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Component: Infrastructure: Other → Infrastructure: DNS
Initially I was looking into server-side tools to perform recursive dnssec validated lookups. I found a few options but nothing was a good fit for what we need.

I think the simplest solution is to perform dns queries against Google's public dnssec validating resolver[0], and check for the proper response.

bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @8.8.8.8
bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @4.2.2.2
69.252.208.135
69.252.216.215

[0] http://googleonlinesecurity.blogspot.com/2013/03/google-public-dns-now-supports-dnssec.html
Group: mozilla-corporation-confidential
Landed this fix in r70179.
Group: mozilla-corporation-confidential
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.