monitoring: add full validation of dnssec-signed zones

RESOLVED FIXED

Status

Infrastructure & Operations
Infrastructure: DNS
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: atoll, Assigned: digi)

Tracking

Details

(Reporter)

Description

4 years ago
During the ZSK and KSK rotation, we encountered DNSSEC validation issues with the published records. It would be useful to set up (ideally external) monitoring of our DNSSEC zones to ensure that they're validating correctly.

We found that the dnsviz tool [1] was able to identify issues realtime, without any interference from DNS caches.

(If this service is provided by Akamai, then this bug would be resolved by some sort of link between our monitoring and Akamai's.)
Group: infra
Punting over to infra to figure out how we'd do it. The SREs can help implement.
Assignee: server-ops → server-ops-infra
Component: Server Operations → Server Operations: Infrastructure
QA Contact: shyam → jdow

Updated

4 years ago
Assignee: server-ops-infra → bhourigan
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: mozilla.org → Infrastructure & Operations

Updated

4 years ago
Component: Infrastructure: Other → Infrastructure: DNS
(Assignee)

Comment 2

4 years ago
Initially I was looking into server-side tools to perform recursive dnssec validated lookups. I found a few options but nothing was a good fit for what we need.

I think the simplest solution is to perform dns queries against Google's public dnssec validating resolver[0], and check for the proper response.

bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @8.8.8.8
bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @4.2.2.2
69.252.208.135
69.252.216.215

[0] http://googleonlinesecurity.blogspot.com/2013/03/google-public-dns-now-supports-dnssec.html
Group: mozilla-corporation-confidential
(Assignee)

Comment 3

4 years ago
Landed this fix in r70179.
Group: mozilla-corporation-confidential
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.