Algorithm Rollover Lab Testing
The document of Algorithm rollover test in lab environment is placed in a GitHub Repo. It describes the four approaches and the timeline. There is a brief summary of the first Algorithm rollover which introduces the process and the results found in our first trial. The second trail is very similar with our first trail, but stand-by key is introduced in the second test. In the second test we also setup powerDNS resolvers to monitoring the rollover besides UNBUND and BIND resolver.
Timeline
The timeline of each test cases are scheduled in following tables:
Note: Slot 2 will start on April 29th, 0200 UTC when new KEY and signatures will be published. Resolvers setup after that time are not able to roll automatically.
How to Join
To join the Alg-roll test, you need to have working DNS resolvers with IPv6 support. According to the test plan of algorithm rollover, we setup 4 separate root server systems with different rollover approaches. You can choose to participate one or all of them according to your preference.
Participants need to update the “hints” file to use the Yeti root servers instead of the IANA root servers. The “hints” files and trust anchor for the 4 root servers can be found here:
If you need more guidance on configuring the resolver to connect to Yeti or Alg-roll testbed, please check the how-to-Join page. The section of “Joining Yeti as a Resolver Operator” tell you how to configure BIND , UNBOUND, and Knot using Yeti’s root server.
If you are interested to participate, please follow up the discussions and report any findings during the experiment in the Yeti-discuss mailing list.
Monitoring
Status of Root zone (DNSKEY and RRSIG)
Root servers of each cased can be reached via dig command to monitoring the status of the root zone. Like dig @240e:eb:8001:e00::37 . dnskey +dnssec +multi
| old KSK | new KSK | stand-by KSK | old ZSK | new ZSK | |
|---|---|---|---|---|---|
| Case 1 | NA_KSK : Removed , | 23959 : pub , | 34017 : pub+sign , | 59583 : pub+sign , | 0 : NA |
| Case 2 | NA_KSK : Removed , | 23959 : pub , | 34017 : pub+sign , | 28650 : pub+sign , | 0 : NA |
| Case 3 | NA_KSK : Removed , | 23959 : pub , | 34017 : pub+sign , | NA_ZSK : Removed , | 4283 : pub+sign |
| Case 4 | NA_KSK : Removed , | 23959 : pub , | 34017 : pub+sign , | NA_ZSK : Removed , | 4283 : pub+sign |
Status at Tue Jun 25 03:20:02 2019 UTC
Status of DNSKEY on resolvers
Monitoring the status of trust and managed key during the rollover. For UNBOUND we track root.key file. For BIND we track managed-key.bind file.
| Case 1 | Case 2 | Case 3 | Case 4 | |
|---|---|---|---|---|
| BIND9.11.5-P1 | 23959 : trusted 18192 : removal pending 34017 : trusted |
23959 : trusted 18192 : removal pending 34017 : trusted |
23959 : trusted 18192 : removal pending 34017 : trusted |
23959 : trusted 18192 : removal pending 34017 : trusted |
| UNBOUND1.8.3 | 23959 : VALID 18192 : REVOKED 34017 : VALID |
23959 : VALID 18192 : REVOKED 34017 : VALID |
23959 : VALID 18192 : REVOKED 34017 : VALID |
23959 : VALID 18192 : REVOKED 34017 : VALID |
Status at Tue Jun 25 03:20:02 2019 UTC
DNSSEC Validation on resolvers
Monitoring the status of DNSSEC Validation during the rollover. We dig random No-Exist domain to the validating resolvers.
| Case 1 | Case 2 | Case 3 | Case 4 | |
|---|---|---|---|---|
| BIND9.11.5-P1 | Validation OK , | Validation OK , | Validation OK , | Validation OK |
| UNBOUND1.8.3 | Validation OK , | Validation OK , | Validation OK , | Validation OK |
| PowerDNS4.2.0~alpha1 | Validation OK , | Validation OK , | Validation OK , | Validation OK |
Status at Tue Jun 25 03:20:02 2019 UTC