Thoughts on procedures and checklists

Written by Rick van Rein in category: Procedures, Technical

These are a few general thoughts about procedures and checklists, before diving into the detail level required by some of them. In general, we see procedures as predefined steps that can satisfy a checklist without further thought for an operator with normal skills. Procedures can be helpful because they take the creativity (and anxiety) out […]

No Comments

Actor responsibilities towards DNSSEC

Written by Rick van Rein in category: Procedures, Security, Technical, Users

We are working towards a DNS signing system with various roles at a number of levels. At each of these levels we assign responsibilities, many of which will not be new to the people involved. We are not primarily worried about people with bad intentions (wihtin our organisation), so we do not split roles as […]

No Comments

Monitoring signature expiration online

Written by Roland van Rijswijk in category: Uncategorized

One of the things we discovered while we were rolling out our deployment is that it is very important to monitor the availability of signed zones (see also this post by Migiel de Vos on monitoring). We have deployed default monitoring based on Nagios, with checks that verify if all signer components are running. One […]

3 Comments

Master/slave replication with OpenDNSSEC

Written by Rick van Rein in category: Architecture, Resilience

In a previous article we discussed the idea of a high-availability Hardware Security Module (or HSM) service. To make the entire DNSSEC signing service act in high-availability mode there is one more part to replicate, namely the OpenDNSSEC signer machines. These manage the procedures and are aware of the DNS and timing intricacies of DNSSEC. […]

1 Comments

Validation rate growing week by week

Written by Roland van Rijswijk in category: General

All SURFnet’s DNS resolvers perform DNSSEC validation and we use the Cacti plug-in for Unbound to graph our nameserver statistics. This yields some interesting data since we can observe the DNSSEC validation rate. And that rate has been showing signs of significant growth since the root got signed. Let me first show you a snapshot […]

No Comments

Nearly there :-)

Written by Roland van Rijswijk in category: Uncategorized

We’ve put the champagne on ice and the cake has been ordered… Since yesterday afternoon 13:00h CET surfnet.nl is signed! All we have to wait for now is the ability to get a DS record in the .nl zone, which will hopefully happen later this month.┬áThis means that our DNSSEC system is now in full […]

No Comments

User study results

Written by Roland van Rijswijk in category: General, Users

One of the goals of our project was to perform a user study among our constituency (higher education, academia and research) to find out what the interest in DNSSEC is in our community. We finished this study in August and have just published the results which are quite interesting, quite a number of respondents to […]

No Comments

Why .us fails to validate for some (and algorithm rollovers are hard)

Written by Roland van Rijswijk in category: General, Resilience

If you perform DNSSEC validation on your resolver you may have noticed lots of validation failures for the .us top-level domain since yesterday or early today (depending on the content of your cache). You’re probably wondering why this happens and what you can do about. Here’s a short explanation. The maintainers of the .us domain […]

No Comments