Yeti DNS Project
--A Live IPv6-only Root DNS Server System Testbed

Algorithm Rollover Lab Testing

The document of Algorithm rollover test in lab environment is placed in a GitHub Repo. It describes the four approaches and the timeline. There is a brief summary of the first Algorithm rollover which introduces the process and the results found in our first trial. The second trail is very similar with our first trail, but stand-by key is introduced in the second test. In the second test we also setup powerDNS resolvers to monitoring the rollover besides UNBUND and BIND resolver.

Timeline

The timeline of each test cases are scheduled in following tables:

Note: Slot 2 will start on April 29th, 0200 UTC when new KEY and signatures will be published. Resolvers setup after that time are not able to roll automatically.

How to Join

To join the Alg-roll test, you need to have working DNS resolvers with IPv6 support. According to the test plan of algorithm rollover, we setup 4 separate root server systems with different rollover approaches. You can choose to participate one or all of them according to your preference.

Participants need to update the “hints” file to use the Yeti root servers instead of the IANA root servers. The “hints” files and trust anchor for the 4 root servers can be found here:

If you need more guidance on configuring the resolver to connect to Yeti or Alg-roll testbed, please check the how-to-Join page. The section of “Joining Yeti as a Resolver Operator” tell you how to configure BIND , UNBOUND, and Knot using Yeti’s root server.

If you are interested to participate, please follow up the discussions and report any findings during the experiment in the Yeti-discuss mailing list.

Monitoring

Status of Root zone (DNSKEY and RRSIG)

Root servers of each cased can be reached via dig command to monitoring the status of the root zone. Like dig @240e:eb:8001:e00::37 . dnskey +dnssec +multi

  old KSK new KSK stand-by KSK old ZSK new ZSK
Case 1 18064 : pub+sign , 23959 : pub , 34017 : pub , 59583 : pub+sign , 0 : NA
Case 2 18064 : pub+sign , 23959 : pub+sign , 34017 : pub , 28650 : pub+sign , 0 : NA
Case 3 18064 : pub+sign , 23959 : pub+sign , 34017 : pub , 25464 : pub+sign , 4283 : pub+sign
Case 4 18064 : pub+sign , 23959 : pub+sign , 34017 : pub , 21381 : pub+sign , 4283 : pub+sign

Status at Sat May 25 04:50:01 2019 UTC

Status of DNSKEY on resolvers

Monitoring the status of trust and managed key during the rollover. For UNBOUND we track root.key file. For BIND we track managed-key.bind file.

  Case 1 Case 2 Case 3 Case 4
BIND 23959 : trust pending
34017 : trust pending
18064 : trusted
,
23959 : trust pending
34017 : trust pending
18064 : trusted
,
23959 : trust pending
34017 : trust pending
18064 : trusted
,
23959 : trust pending
34017 : trust pending
18064 : trusted
UNBOUND 23959 : ADDPEND
18064 : VALID
34017 : ADDPEND
,
23959 : ADDPEND
18064 : VALID
34017 : ADDPEND
,
23959 : ADDPEND
18064 : VALID
34017 : ADDPEND
,
23959 : ADDPEND
18064 : VALID
34017 : ADDPEND

Status at Sat May 25 04:50:01 2019 UTC

DNSSEC Validation on resolvers

Monitoring the status of DNSSEC Validation during the rollover. We dig random No-Exist domain to the validating resolvers.

  Case 1 Case 2 Case 3 Case 4
BIND Validation OK , Validation OK , Validation OK , Validation OK
UNBOUND Validation OK , Validation OK , Validation OK , Validation OK
PowerDNS Validation OK , Validation OK , Validation OK , Validation OK

Status at Sat May 25 04:50:01 2019 UTC