Yeti DNS Project
--A Live IPv6-only Root DNS Server System Testbed

Algorithm Rollover Lab Testing

The document of Algorithm rollover test in lab environment is placed in a GitHub Repo. It describes the four approaches and the timeline. There is a brief summary of the first Algorithm rollover which introduces the process and the results found in our first trial. The second trail is very similar with our first trail, but stand-by key is introduced in the second test. In the second test we also setup powerDNS resolvers to monitoring the rollover besides UNBUND and BIND resolver.

Timeline

The timeline of each test cases are scheduled in following tables:

Note: Slot 2 will start on April 29th, 0200 UTC when new KEY and signatures will be published. Resolvers setup after that time are not able to roll automatically.

How to Join

To join the Alg-roll test, you need to have working DNS resolvers with IPv6 support. According to the test plan of algorithm rollover, we setup 4 separate root server systems with different rollover approaches. You can choose to participate one or all of them according to your preference.

Participants need to update the “hints” file to use the Yeti root servers instead of the IANA root servers. The “hints” files and trust anchor for the 4 root servers can be found here:

If you need more guidance on configuring the resolver to connect to Yeti or Alg-roll testbed, please check the how-to-Join page. The section of “Joining Yeti as a Resolver Operator” tell you how to configure BIND , UNBOUND, and Knot using Yeti’s root server.

If you are interested to participate, please follow up the discussions and report any findings during the experiment in the Yeti-discuss mailing list.

Monitoring

Status of Root zone (DNSKEY and RRSIG)

Root servers of each cased can be reached via dig command to monitoring the status of the root zone. Like dig @240e:eb:8001:e00::37 . dnskey +dnssec +multi

  old KSK new KSK stand-by KSK old ZSK new ZSK
Case 1 NA_KSK : Removed , 23959 : pub , 34017 : pub+sign , 59583 : pub+sign , 0 : NA
Case 2 NA_KSK : Removed , 23959 : pub , 34017 : pub+sign , 28650 : pub+sign , 0 : NA
Case 3 NA_KSK : Removed , 23959 : pub , 34017 : pub+sign , NA_ZSK : Removed , 4283 : pub+sign
Case 4 NA_KSK : Removed , 23959 : pub , 34017 : pub+sign , NA_ZSK : Removed , 4283 : pub+sign

Status at Tue Jun 25 03:20:02 2019 UTC

Status of DNSKEY on resolvers

Monitoring the status of trust and managed key during the rollover. For UNBOUND we track root.key file. For BIND we track managed-key.bind file.

  Case 1 Case 2 Case 3 Case 4
BIND9.11.5-P1 23959 : trusted
18192 : removal pending
34017 : trusted
23959 : trusted
18192 : removal pending
34017 : trusted
23959 : trusted
18192 : removal pending
34017 : trusted
23959 : trusted
18192 : removal pending
34017 : trusted
UNBOUND1.8.3 23959 : VALID
18192 : REVOKED
34017 : VALID
23959 : VALID
18192 : REVOKED
34017 : VALID
23959 : VALID
18192 : REVOKED
34017 : VALID
23959 : VALID
18192 : REVOKED
34017 : VALID

Status at Tue Jun 25 03:20:02 2019 UTC

DNSSEC Validation on resolvers

Monitoring the status of DNSSEC Validation during the rollover. We dig random No-Exist domain to the validating resolvers.

  Case 1 Case 2 Case 3 Case 4
BIND9.11.5-P1 Validation OK , Validation OK , Validation OK , Validation OK
UNBOUND1.8.3 Validation OK , Validation OK , Validation OK , Validation OK
PowerDNS4.2.0~alpha1 Validation OK , Validation OK , Validation OK , Validation OK

Status at Tue Jun 25 03:20:02 2019 UTC