Reply to post: What a load of cow pats

Internet-wide security update put on hold over fears 60 million people would be kicked offline

Matt34
Facepalm

What a load of cow pats

Having just completed a training course which covered DNSSEC, the Root Key Signing Keys are using algorithm 8 which RSA/SHA256 and is compatible with Bind 9.10.3 which is available for MintLinux and Ubuntu Mate for Raspberry Pi. The new KSK works just fine. After five years of giving training on DNSSEC, 99% of students who were familiar with DNS had never heard of DNSSEC (despite it being 16 years old).

For those unfamilar with DNSSEC at present there is a double Key Rollover, both the KSK and Zone Signing Key (ZSK) are rolling over to a new key.

dig @8.8.8.8 . dnskey +multiline

; <<>> DiG 9.10.6 <<>> @8.8.8.8 . dnskey +multiline

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5983

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 512

;; QUESTION SECTION:

;. IN DNSKEY

;; ANSWER SECTION:

. 166290 IN DNSKEY 257 3 8 (

AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ

bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh

/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA

JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp

oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3

LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO

Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc

LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=

) ; KSK; alg = RSASHA256 ; key id = 19036

. 166290 IN DNSKEY 256 3 8 (

AwEAAYvxrQOOujKdZz+37P+oL4l7e35/0diH/mZITGjl

p4f81ZGQK42HNxSfkiSahinPR3t0YQhjC393NX4TorSi

TJy76TBWddNOkC/IaGqcb4erU+nQ75k2Lf0oIpA7qTCk

3UkzYBqhKDHHAr2UditE7uFLDcoX4nBLCoaH5FtfxhUq

yTlRu0RBXAEuKO+rORTFP0XgA5vlzVmXtwCkb9G8GknH

uO1jVAwu3syPRVHErIbaXs1+jahvWWL+Do4wd+lA+TL3

+pUk+zKTD2ncq7ZbJBZddo9T7PZjvntWJUzIHIMWZRFA

jpi+V7pgh0o1KYXZgDUbiA1s9oLAL1KLSdmoIYM=

) ; ZSK; alg = RSASHA256 ; key id = 15768

. 166290 IN DNSKEY 256 3 8 (

AwEAAcRIZfxskdElMKgjwvWQO2bQe7EGAvX6zgIaqmbs

aMqmMrIpd1+bP7nyULLuL8jWnKAqcaVfal2yJD50gg5z

Fl5yW/F9dKNXXEFI7VEcGrPyG6/OrA9RBU8pGWm0qxps

Nm5UIgTU5IX7pb/0rBj67c/R7qln8sjH1ylsr4f1Y3R6

p/druiEalKasEjGKA9L2w9jzUQusWxM7fQx/T8c/3x3b

sjveD1dleQ6MJaCx4bpPXYZpqXmSvGn+T2v5350cBVAF

qVKhGbjxEyXAweem8cTU4L1p+DV7Ua11a1tMf0Tlu8pk

pLwh7NQIggIEhJwEhPeXE3E4C6Q2/PFENcoFERc=

) ; ZSK; alg = RSASHA256 ; key id = 46809

. 166290 IN DNSKEY 257 3 8 (

AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO

iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN

7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5

LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8

efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7

pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY

A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws

9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

) ; KSK; alg = RSASHA256 ; key id = 20326

;; Query time: 9 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Fri Sep 29 19:51:13 BST 2017

;; MSG SIZE rcvd: 1128

DNSSEC is used to digitally sign DNS records by adding a RRSIG record which is cryptographically signed hash of a set of records within a Zone. So the NS records inside a Zone would have a single RRSIG to allow authentication and validation of all the NS records as if you query the NS records all will be returned.

In terms of handling the new KSK, if the DNS Server supports RFC5011 the KSK rollover is handled automatically BIND has support this for a couple of years. RFC7344 allows the automatic update of the Child Zone Delegated Signer Record using the CDS Record and CDNSKEY record both supported in Bind 9.11

Unfortunately many commercial DNS providers do not support RFC5011, nor do they support RFC7344.

The Root KSK should have been replaced in June 2015 under the contract ICANN operated under here we are seven years later and the its going to be delayed again.

Personally the root key change should not be delayed... A competent DNS Architect/Administrator should have planned for this two years ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019