29 Mar
2013
29 Mar
'13
9:41 p.m.
Hi,
TL;DR
-----
DNSSEC validation will be enabled on BitFolk's resolvers on Monday
29th April.
The Plan
--------
After consultation¹, we've come up with a plan for enabling DNSSEC
validation on BitFolk's resolvers:
0. As of Wednesday 27th a test resolver has been available on
85.119.80.243, with validation enabled. You can either query
through it directly, e.g.:
dig -t a www.dnssec-failed.org @85.119.80.243
dig -t test.dnssec-or-not.net @85.119.80.243
or replace all IPs in your /etc/resolv.conf to send all your DNS
queries through it.
1. Sometime on Saturday 30th March (tomorrow) we'll enable Unbound's
"permissive mode" which performs validation and logs errors but
always passes answers back to clients anyway:
http://unbound.net/documentation/howto_turnoff_dnssec.html
Note that this can give the impression that DNSSEC is in use, but
it is strictly for testing and you are achieving no security
benefit while this setting is in effect.
2. Around Saturday 6th April we'll review the logs to see what sort
of impact real validation will have.
We will not be examining each and every failure and we will not
be providing per-customer details; it is your responsibility to
make use of the test resolver if you wish to test your own
queries.
3. Provided the results of stage 2 are not too shocking, validation
will be switched on sometime on Monday 29th April, deliberately a
working day so that those of you using your VPSes for business
purposes will hopefully be around to spot any issues in the
unlikely event of anything breaking.
Frequently Asked Questions
--------------------------
- What is DNSSEC?
DNSSEC is a means by which DNS domain owners can digitally sign
records in their zones, so that DNS resolvers can check that the
answers they are receiving have not been tampered with at any
stage.
Aside from routine mangling of DNS responses done by local
resolvers not under your control (think: the built-in DNS resolver
in the access point of your hotel, or an ISP resolver that for
some reason is set to monetise particular kinds of queries), there
are other threats such as the hijacking for DNS for popular or
critical sites.
Additionally, digital signing of zone content is needed before you
can trust other secure data that might be stored in the DNS such
as cryptographic public keys, e.g. SSH host keys and DANE data.
RFC 3833 - Threat Analysis of the Domain Name System (DNS):
http://tools.ietf.org/html/rfc3833
If a DNS zone is DNSSEC-signed but the signatures fail validation,
the query will typically fail with a SERVFAIL response instead of
the expected answer.
- Do I need to do anything?
No; validation is configured in the resolver, and BitFolk runs the
resolvers that are listed by default in your /etc/resolv.conf.
More and more resolvers will start enabling DNSSEC so you may like
to test it out for yourself ahead of time though.
- I'm running a DNS server on my VPS for my domain. Do I need to change
anything?
No; this is about the DNS resolvers you use which are defined in
your /etc/resolv.conf, not any DNS server you might be running to
serve authoritative DNS data. Whether or not you enable DNSSEC
signing for your domain is a separate (and more complicated)
issue.
- Does this mean bitfolk.com will be DNSSEC-signed?
No; having resolvers that validate DNSSEC signatures is a necessary
first step before we can consider DNSSEC-signing bitfolk.com and
bitfolk.co.uk.
- Am I secure as soon as this is enabled?
Only if the domains you query have enabled DNSSEC. And only for
the things that DNSSEC actually protects you against.
If you have any further questions about any of this, please do reply
here or contact us off-list at support(a)bitfolk.com.
Cheers,
Andy
¹ Thread on users list starts here:
http://lists.bitfolk.com/lurker/message/20130326.230706.21113786.en.html
--
http://bitfolk.com/ -- No-nonsense VPS hosting
The optimum programming team size is 1.
Has
Jurassic Park taught us nothing? — pfilandr
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
30 Mar
30 Mar
1:10 a.m.
On Fri, Mar 29, 2013 at 09:41:42PM +0000, Andy Smith wrote:
0. As of Wednesday 27th a test resolver has been
available on
85.119.80.243, with validation enabled. You can either query
through it directly, e.g.:
dig -t a www.dnssec-failed.org @85.119.80.243
dig -t test.dnssec-or-not.net @85.119.80.243
Oops, that second dig command was missing a query type so should
have been:
dig -t txt test.dnssec-or-not.net @85.119.80.243
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
3:23 p.m.
Hi,
On Fri, Mar 29, 2013 at 09:41:42PM +0000, Andy Smith wrote:
1. Sometime on Saturday 30th March (tomorrow)
we'll enable Unbound's
"permissive mode" which performs validation and logs errors but
always passes answers back to clients anyway:
http://unbound.net/documentation/howto_turnoff_dnssec.html
Note that this can give the impression that DNSSEC is in use, but
it is strictly for testing and you are achieving no security
benefit while this setting is in effect.
This part is now in effect. I'll follow up next weekend with a
summary of validation errors seen.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
6 Apr
6 Apr
3:27 p.m.
Hello,
On Sat, Mar 30, 2013 at 03:23:27PM +0000, Andy Smith wrote:
I'll follow up next weekend with a summary of
validation errors
seen.
As promised here's the summary:
https://tools.bitfolk.com/wiki/DNSSEC#6th_April_2013:_Analysis_of_validatio…
If you have an interest in being able to resolve the domains still
listed as broken after 29th April then you should do what you can to
get them to fix it, because it doesn't look like they will get fixed
otherwise.
You can check whether they have fixed things by trying the query
through the test resolver, e.g.:
$ dig -t ns subdesu.org @85.119.80.243
If it returns an answer other than SERVFAIL then they probably fixed
it.
dnssec-debugger / dnsviz should give more hints as to the nature of
the breakage.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
15 Apr
15 Apr
2:42 p.m.
Hi,
Just a reminder for those who may have missed this or newly joined
us:
As announced on March 29th, DNSSEC validation will be enabled on
BitFolk's resolvers on Monday April 29th which is two weeks from
now.
Start of thread:
http://lists.bitfolk.com/lurker/message/20130329.214142.6a7d3789.en.html
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
29 Apr
29 Apr
2:39 p.m.
Hi,
As per the plan below, DNSSEC validation was enabled today on
BitFolk's resolvers.
If you experience any name resolving issues that you can't replicate
elsewhere, please do check with
http://dnssec-debugger.verisignlabs.com/ and http://dnsviz.net/ to
see if it is a DNSSEC problem.
Cheers,
Andy
On Fri, Mar 29, 2013 at 09:41:42PM +0000, Andy Smith wrote:
Hi,
TL;DR
-----
DNSSEC validation will be enabled on BitFolk's resolvers on Monday
29th April.
The Plan
--------
After consultation¹, we've come up with a plan for enabling DNSSEC
validation on BitFolk's resolvers:
0. As of Wednesday 27th a test resolver has been available on
85.119.80.243, with validation enabled. You can either query
through it directly, e.g.:
dig -t a www.dnssec-failed.org @85.119.80.243
dig -t test.dnssec-or-not.net @85.119.80.243
or replace all IPs in your /etc/resolv.conf to send all your DNS
queries through it.
1. Sometime on Saturday 30th March (tomorrow) we'll enable Unbound's
"permissive mode" which performs validation and logs errors but
always passes answers back to clients anyway:
http://unbound.net/documentation/howto_turnoff_dnssec.html
Note that this can give the impression that DNSSEC is in use, but
it is strictly for testing and you are achieving no security
benefit while this setting is in effect.
2. Around Saturday 6th April we'll review the logs to see what sort
of impact real validation will have.
We will not be examining each and every failure and we will not
be providing per-customer details; it is your responsibility to
make use of the test resolver if you wish to test your own
queries.
3. Provided the results of stage 2 are not too shocking, validation
will be switched on sometime on Monday 29th April, deliberately a
working day so that those of you using your VPSes for business
purposes will hopefully be around to spot any issues in the
unlikely event of anything breaking.
Frequently Asked Questions
--------------------------
- What is DNSSEC?
DNSSEC is a means by which DNS domain owners can digitally sign
records in their zones, so that DNS resolvers can check that the
answers they are receiving have not been tampered with at any
stage.
Aside from routine mangling of DNS responses done by local
resolvers not under your control (think: the built-in DNS resolver
in the access point of your hotel, or an ISP resolver that for
some reason is set to monetise particular kinds of queries), there
are other threats such as the hijacking for DNS for popular or
critical sites.
Additionally, digital signing of zone content is needed before you
can trust other secure data that might be stored in the DNS such
as cryptographic public keys, e.g. SSH host keys and DANE data.
RFC 3833 - Threat Analysis of the Domain Name System (DNS):
http://tools.ietf.org/html/rfc3833
If a DNS zone is DNSSEC-signed but the signatures fail validation,
the query will typically fail with a SERVFAIL response instead of
the expected answer.
- Do I need to do anything?
No; validation is configured in the resolver, and BitFolk runs the
resolvers that are listed by default in your /etc/resolv.conf.
More and more resolvers will start enabling DNSSEC so you may like
to test it out for yourself ahead of time though.
- I'm running a DNS server on my VPS for my domain. Do I need to change
anything?
No; this is about the DNS resolvers you use which are defined in
your /etc/resolv.conf, not any DNS server you might be running to
serve authoritative DNS data. Whether or not you enable DNSSEC
signing for your domain is a separate (and more complicated)
issue.
- Does this mean bitfolk.com will be DNSSEC-signed?
No; having resolvers that validate DNSSEC signatures is a necessary
first step before we can consider DNSSEC-signing bitfolk.com and
bitfolk.co.uk.
- Am I secure as soon as this is enabled?
Only if the domains you query have enabled DNSSEC. And only for
the things that DNSSEC actually protects you against.
If you have any further questions about any of this, please do reply
here or contact us off-list at support(a)bitfolk.com.
Cheers,
Andy
¹ Thread on users list starts here:
http://lists.bitfolk.com/lurker/message/20130326.230706.21113786.en.html
--
http://bitfolk.com/ -- No-nonsense VPS hosting
--
http://bitfolk.com/ -- No-nonsense VPS hosting
The optimum programming team size is 1.
Has Jurassic Park taught us nothing? — pfilandr I'd be interested to hear any (even two word)
reviews of their sofas…
Provides seating. — Andy Davidson
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce
4014
days inactive
4045
days old
5 comments
1 participants
participants (1)
-
Andy Smith