Mon, 15 Nov 2010
DNSSEC Problems
In July, I have written about DNSSEC tools.
Our zone is still not signed yet, but I have at least enabled DNSSEC
valiadtion on our recursive servers at that time, asked the
maintainer of the muni.cz domain about the DNSSEC enrollment
process, and suggested we should discuss it further.
I have got no reply for several weeks, and then he suddenly replied: "I have
signed the muni.cz domain". Evening before this e-mail,
our recursive servers stopped resolving even names from our own subdomain,
fi.muni.cz. It was a major service disruption (the whole
IS MU cluster disintegrated, etc.). I was on a holiday, so my colleagues
just switched off the DNSSEC processing altogether. I did not have
time to look into this problem until last week. I have tried to
reenable DNSSEC, and the same problem appeared. Part of the DNS queries
just got dropped. Digging into this further (thanks,
Dan!) I have discovered that one out
of three authoritative DNS servers for muni.cz
(ns.ces.net) has DNSSEC disabled. So 1/3 of the
queries were replied to without signatures, and got dropped by validating
resolvers.
The morale of the story is:
- Virtually nobody uses DNSSEC for validation. Otherwise there should
have been complaints about everything under
muni.czbeing occasionally unreachable since August and counting. - DNSSEC is very volatile, and has too many subtle ways how to fail. For example, expired signatures are not visible without complicated monitoring tool before it is too late. Or the above problem with the non-DNSSEC authoritative nameserver is not visible, when your resolvers use the other two authoritative nameservers as recursive nameservers. Etc.
Do you use validating resolvers, my dear lazyweb? And are all your zones signed?