Last Comment Bug 872927 - monitoring: add full validation of dnssec-signed zones
: monitoring: add full validation of dnssec-signed zones
Status: RESOLVED FIXED
:
Product: Infrastructure & Operations
Classification: Other
Component: Infrastructure: DNS (show other bugs)
: other
: x86 Mac OS X
: -- normal with 1 vote (vote)
: ---
Assigned To: Brian Hourigan [:digi]
: Justin Dow [:jabba]
Mentors:
Depends on:
Blocks: 872818
  Show dependency treegraph
 
Reported: 2013-05-15 23:43 PDT by Richard Soderberg [:atoll]
Modified: 2013-07-02 18:50 PDT (History)
3 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---
Cab Review: ServiceNow Change Request (use flag)


Attachments

Description Richard Soderberg [:atoll] 2013-05-15 23:43:34 PDT
During the ZSK and KSK rotation, we encountered DNSSEC validation issues with the published records. It would be useful to set up (ideally external) monitoring of our DNSSEC zones to ensure that they're validating correctly.

We found that the dnsviz tool [1] was able to identify issues realtime, without any interference from DNS caches.

(If this service is provided by Akamai, then this bug would be resolved by some sort of link between our monitoring and Akamai's.)
Comment 1 Shyam Mani [:fox2mike] 2013-05-16 17:49:45 PDT
Punting over to infra to figure out how we'd do it. The SREs can help implement.
Comment 2 Brian Hourigan [:digi] 2013-07-02 11:06:27 PDT
Initially I was looking into server-side tools to perform recursive dnssec validated lookups. I found a few options but nothing was a good fit for what we need.

I think the simplest solution is to perform dns queries against Google's public dnssec validating resolver[0], and check for the proper response.

bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @8.8.8.8
bhourigan@digi-2 ~ » dig +short www.dnssec-failed.org @4.2.2.2
69.252.208.135
69.252.216.215

[0] http://googleonlinesecurity.blogspot.com/2013/03/google-public-dns-now-supports-dnssec.html
Comment 3 Brian Hourigan [:digi] 2013-07-02 18:50:33 PDT
Landed this fix in r70179.

Note You need to log in before you can comment on or make changes to this bug.