Closed
Bug 872927
Opened 11 years ago
Closed 11 years ago
monitoring: add full validation of dnssec-signed zones
Categories
(Infrastructure & Operations :: DNS and Domain Registration, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: Atoll, Assigned: bhourigan)
References
Details
During the ZSK and KSK rotation, we encountered DNSSEC validation issues with the published records. It would be useful to set up (ideally external) monitoring of our DNSSEC zones to ensure that they're validating correctly. We found that the dnsviz tool [1] was able to identify issues realtime, without any interference from DNS caches. (If this service is provided by Akamai, then this bug would be resolved by some sort of link between our monitoring and Akamai's.)
Updated•11 years ago
|
Group: infra
Comment 1•11 years ago
|
||
Punting over to infra to figure out how we'd do it. The SREs can help implement.
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow
Updated•11 years ago
|
Assignee: server-ops-infra → bhourigan
Updated•11 years ago
|
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations
Updated•11 years ago
|
Component: Infrastructure: Other → Infrastructure: DNS
Assignee | ||
Comment 2•11 years ago
|
||
Initially I was looking into server-side tools to perform recursive dnssec validated lookups. I found a few options but nothing was a good fit for what we need. I think the simplest solution is to perform dns queries against Google's public dnssec validating resolver[0], and check for the proper response. bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @8.8.8.8 bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @4.2.2.2 69.252.208.135 69.252.216.215 [0] http://googleonlinesecurity.blogspot.com/2013/03/google-public-dns-now-supports-dnssec.html
Group: mozilla-corporation-confidential
Assignee | ||
Comment 3•11 years ago
|
||
Landed this fix in r70179.
Group: mozilla-corporation-confidential
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•