Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC validation #2227

Open
vohmar opened this issue Nov 26, 2021 · 0 comments
Open

DNSSEC validation #2227

vohmar opened this issue Nov 26, 2021 · 0 comments
Assignees
@thiagoyoussef
Labels
enhancement

Comments

@vohmar
Copy link
Contributor

vohmar commented Nov 26, 2021

Create background job for validating dnssec trust chains of the domains that have DS records in .ee TLD zones.

Similar to host validation and csync processes

  • mark ds records that have been added to the registry by csync as valid (no need to validate those records at least for a year)
  • validate all un-validated ds records
    • check that the dnskey exist in all the nameservers associated with the domain - by both IPv4 and IPv6 addresses

if invalid ds record is found on three consecutive validation runs then remove it from .ee zone
notify registrar and registrant - message must include list of misconfigured host records
notify registrar via poll message
notify technical contact about removing dn record from the zone via email

testing:
1)

  • add ds record to a domain that has the same key in all its nameservers (both ipv4 and ipv6 ip addresses)
  • run validator - no issues
  • add ds record to a domain that has no dnskeys in its hosts
  • run validator - ds record is marked as invalid for the first time, record is created to a validation table
  • run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
  • notification arrived to the registrar as a poll message
  • notification arrived to technical contact about removing dn record from the zone via email
    • email notification is sent to registrant and admin if tech contact is missing or has invalid email address
  • add ds record to a domain that has one misconfigured host and at least one proper ns server
  • run validator - ds record is marked as invalid for the first time and second time, record(s) are created to a validation table
  • run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
  • notification arrived to the registrar as a poll message
  • notification arrived to technical contact about removing dn record from the zone via email
    • email notification is sent to registrant and admin if tech contact is missing or has invalid email address
  • add ds record to a domain with correct key value but incorrect algorithm
  • run validator - ds record is marked as invalid for the first time, record is created to a validation table
  • run validator third time - third record is created in validations table, DS record is removed from the .ee TLD zones
  • notification arrived to the registrar as a poll message
  • notification arrived to technical contact about removing dn record from the zone via email
    • email notification is sent to registrant and admin if tech contact is missing or has invalid email address
  1. what other issues can there be in relation to dnssec trust chain validation
@thiagoyoussef thiagoyoussef self-assigned this Jul 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thiagoyoussef thiagoyoussef

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vohmar @thiagoyoussef