This article describes the implementation of DNSSEC as it relates to BitFolk and its customers.
- 1 What
- 2 Implementation at BitFolk
- 3 Your domains
- 4 BitFolk's domains
- 5 BitFolk's DNS resolvers
"The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality."
- – DNSSEC at Wikipedia
Implementation at BitFolk
There's several different places where DNSSEC can be implemented:
- BitFolk's DNS resolvers
- The things you have configured in your /etc/resolv.conf
- BitFolk's domains
- i.e., bitfolk.com and bitfolk.co.uk
- Your domains
Easy one out of the way first.. there's nothing BitFolk needs to do in order to support DNSSEC records in your domains.
If you want to enable DNSSEC on your domains you should go ahead and do that; BitFolk's secondary DNS servers will serve those records without issue.
Clients will of course still need to use a validating resolver in order to gain any benefit from you having enabled DNSSEC.
We'll start looking into enabling DNSSEC for bitfolk.com and bitfolk.co.uk once BitFolk's resolvers have DNSSEC support.
Aside from the obvious benefits of protecting against mangling of our DNS data, supporting DNSSEC in bitfolk.com will allow us to publish SSHFP and DANE records. SSHFP particularly will help customers to trust that they really are connecting to a BitFolk host the first time they need to connect to their console. At the moment that is somewhat awkward.
BitFolk's DNS resolvers
Enabling DNSSEC validation on BitFolk's resolvers is quite a big deal, because almost every customer users those resolvers for all their traffic, and it is expected that enabling validation will cause some degree of breakage – there will be a non-zero number of domains that have enabled DNSSEC incorrectly thus making themselves unresolvable by a validating resolver. We therefore have to plan this quite carefully.
26th March 2013: Initial consultation
27th March 2013: Test resolver made available
A test resolver with DNSSEC validation enabled was made available on 184.108.40.206. You can either put all your traffic through it by replacing all IPs in your /etc/resolv.conf with this IP address, or else you can test specific queries against this resolver:
dig -t a www.dnssec-failed.org @220.127.116.11 dig -t txt test.dnssec-or-not.net @18.104.22.168
29th March 2013: Plan announced
30th March 2013: Permissive mode enabled
DNSSEC validation in permissive mode was enabled on BitFolk's production resolvers. This performs validation but in the event of a validation failure merely logs the problem and still returns the answer as normal. It will allow us to gauge the impact of enabling validation for real.
6th April 2013: Analysis of validation logs
An analysis of DNSSEC validation failures in the logs from 30th March onwards:
DNSSEC for the whole of the 177.* reverse DNS tree was broken for at least two days.
The following domains appear to still be broken at time of writing.
Unless they get fixed they will not be resolvable from BitFolk after Monday 29th April 2013. If you have an interest in being able to resolve them from BitFolk then you should take your own steps to try to get them fixed, e.g. by contacting them now.
Anything not listed here got fixed.
29th April 2013: Validation was enabled
Full DNSSEC validation was enabled on this date.