Tue 12 Sep 2017

KSK rollover impact on getdns

The following post details on the impact of the root Key Signing Key rollover on getdns DNSSEC validation. With the KSK rollover in process and taking place on 11th of October, users must be aware of the different situations and actions needed for the different getdns versions.

getdns v1.1 and earlier

In the releases to-date getdns does not have automatic DNSSEC trust-anchor management included within the library. When installing getdns v1.1 or earlier from source, a message is displayed requesting the manual installation of a root trust-anchor with unbound-anchor using the command

> unbound-achor -a <trust_anchor_file>

The default location of the <trust_anchor_file> used by getdns in this case depends on the value of sysconfdir during configuring. Typically this could be /usr/local/etc/unbound/getdns-root.key or /etc/unbound/getdns-root.key.

Installations before 2nd of February

If the manual installation of the root trust-anchor was performed before 2nd February 2017 and no trust anchor management is performed externally to getdns, then another manual installation MUST be re-run before 11th October to obtain the new KSK in order to enable DNSSEC validation to continue after October 11th. The easiest way to determine this is to run

> getdns_query -k

-- if there is only 1 entry for a DNSKEY then the last update was most likely before 2nd February 2017.

Installations after 2nd of February

If the most recent manual installation of the root trust-anchor was performed after 2nd February 2017, then that operation also installed the new KSK and getdns is already equipped to perform DNSSEC validation after October 11th. This is because getdns parses the default trust-anchors file as a zone file and uses all the keys it finds (regardless of any annotations that unbound-anchor may have added). This is true in both stub and full recursive mode.

Also note that when used in a long running process getdns is not aware of updates to the trust-anchor file. Long running programs that use getdns to perform DNSSEC validation MUST be restarted after the trust-anchors have been manually updated for the changes to take effect.

getdns v1.2

We recognise that a dependency on external or manual trust-anchor management for a library intended for applications is not optimal. Ideally applications that want to use DNSSEC validation, for example to perform DANE, would want to be able to rely on an application library to deliver DNSSEC, without requiring additional system configuration. Therefore the soon-to-be release version 1.2.0 of getdns will include a form of built-in trust-anchor management modelled on RFC7958, that is suitable for a resolver library which can not assume reliable up-time and which we have named: zero configuration DNSSEC.

With zero configuration DNSSEC, a new set of root trust-anchors will be fetched from https://data.iana.org/root-anchors/root-anchors.xml and validated with ICANN when a DNSSEC answer could not be validated and the root DNSKEY set is either seen for the first time or has changed.
Details about the precise operation of zero configuration DNSSEC will come with the getdns 1.2.0 release announcement.

We strongly recommend upgrading to getdns 1.2 as soon as possible for all users who perform DNSSEC validation. Details of the release dates of getdns will be announced on the getdns-users list.


Related

  First release candidate for getdns-1.2.0
  Fri 22 Sep 2017
  Stubby   Zero configuration DNSSEC
Zero configuration DNSSEC, YAML config files and resilient TLS upstream management
  Roadmap on upcoming releases
  Wed 29 Jun 2016
  Announcement
Update on the upcoming releases
  October 2015 getdns API spec release
  Thu 22 Oct 2015
  Announcement
json-pointer access to dicts and NOT_IMPLEMENTED return code
  Python bindings v0.4.0 released
  Wed 26 Aug 2015
  Announcement
Python3 support, ordered transport lists, bugfixes
  API mailing-list move
  Thu 23 Jul 2015
  Announcement
The API mailing-list moved from vpnc.org to getdnsapi.net
  New website
  Fri 16 Jan 2015
  Announcement
Our webpages have been refashioned with a new "responsive" look.

Other by Willem Toorop

  Hands on getdns
  Thu 06 Jul 2017
  JCSA17
  Sara Dickinson   Willem Toorop
Tutorial at the JCSA17 in Paris
  How to get a trustworthy DNS Privacy enabling recursive resolver
  Sun 26 Feb 2017
  NDSS2017
  Willem Toorop   Benno Overeinder   Melinda Shore   DNS Privacy
Analysis of authentication mechanisms for DNS Privacy enabling recursive resolvers, presented at the NDSS2017
  Stubby
  Wed 19 Oct 2016
  NANOG68
  Willem Toorop   Stubby
Introducting Stubby at the NANOG68 in Dallas
  DNSSEC for Legacy Applications
  Thu 19 Nov 2015
  DNS-WG @ RIPE71
  Willem Toorop
Presentation about an experimental nsswitch getdns component.
  getdns - A new stub resolver
  Sun 13 Sep 2015
  vBSDcon 2015
  Willem Toorop
Very complete overview presentation at te vBSDcon 2015 in Reston
  getdns API implementation
  Thu 14 May 2015
  OS-WG @ RIPE70
  Willem Toorop
Presentation in the Open Source Working Group at RIPE70 in Amsterdam
  getdns API
  Thu 26 Mar 2015
  Bits-n-Bites @ IETF92
  Sara Dickinson   Gowri Visweswaran   Willem Toorop
Poster presentation at the Bits-n-Bites of the IETF92
  getdns API implementation
  Wed 25 Jun 2014
  DNSSEC-WS @ ICANN50
  Willem Toorop
Presentation at the DNSSEC Workshop at ICANN50 in London
  getdns API implementation
  Wed 14 May 2014
  OS-WG @ RIPE68
  Willem Toorop
Lightning talk at the Open Source Working Group at RIPE 68 in Warsaw
  getdns API implementation
  Sun 11 May 2014
  DNS-OARC 2014 Spring-WS
  Willem Toorop
Presentation at the DNS-OARC Spring Workshop in Warsaw