iy3xk ftc9ky "Root Zone KSK Algorithm Rollover"
   

DNS Root with accelerated, continually rolling KSK/ZSKs algorithms - LIVE
RLamb March 2023. Resurrected Last KSK Roll Mission.

Root server current state indicated by red block in first row. ~60 seconds per slot
To test use resolver config unbound.conf.txt and root.hints.txt.

Set initial unbound.root.key.txt to:
.			12	IN	DNSKEY	257 3 13 xLSxdy1U1OsotMODySom6p8Y24AAXNhYx8GtfYK/S1bIpWZrw8atj0j7 bFy5DA+iktUQurlw/K296KlTj+KcHQ==
.			12	IN	DNSKEY	257 3 14 DKi2I2ybJtfoxfY0+W8L2PzhOLD6n4/4pttygqcBuVJNOW5g8osoZ2dv Uc/eL7VAVJpdOjF6KpkyWhdPKeYNeCQ1kwup9TX7C72jkS0DgJv/51CR FImRdpqc5OE5aSbj

This works for me (you may need to change username/port/etc):
  wget http://a.moot-servers.net/unbound.conf.txt http://a.moot-servers.net/root.hints.txt http://a.moot-servers.net/unbound.root.key.txt; unbound -c unbound.conf.txt -d
Then do "dig"s against unbound and see it auto update unbound.root.key.txt
T+0T+10T+20T+30T+40T+50T+60T+70T+80T+0T+10T+20T+30T+40T+50T+60T+70T+80
17112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-1317112-13
10492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-1410492-14
64195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-1364195-13
62715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-1462715-14
280/1.31M628/1.93M628/1.93M628/1.93M628/1.93M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M0/0.00M

Notes:

  • Squares contain key tag number-algorithm number. Rotates thru RSASHA256, ECDSAP256SHA256, ECDSAP384SHA384, ED25519
  • Green: current ZSK; Yellow: next ZSK; Pink: current KSK; Orange: next KSK
  • Red KSK has revoke bit set in DNSKEY
  • Last row is "MSG SIZE" bytes from "dig @me +multi +dnssec -t dnskey ." / signed root zonefile size.
  • LIVE Trust Anchors ( CSR cert newCSR newcert pkcs7 xml ) as per specification at here or here and draft-jabley-dnssec-trust-anchor
  • FYI: Double signing could double the size of the root zone file.
  • Accelerated test root is based on real root pulled down once a day.
  • Please be nice and dont hit this site/dns too hard! I dont have infinite bandwidth.

Resolver notes:

Not only will you need to set root hints and keys to our test server, but you will also need to set your resolver specific setting for accelerated rfc5011 processing. See https://www.co.tt/files/icksk/ how to. These have likely changed since the first root key rollover. But as fodder for moving forward:
Unbound add-holddown: 175, del-holddown: 175. Do "cat unbound.root.key.txt" to see what Unbound thinks is valid (eg "[ VALID|APPEND|REVOKED ]" at the end of keys). watch out for algorithm downgrade attack protections when experimenting. Works!
Windows Server 2016 and 2022 DNS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters then Edit --> New --> DWORD and creating TestMode_AccelerateRFC5011Timing and setting the value to 1, and TestMode_AccelerateKeyRolloverTiming and set value to 1. See this. Version: "DNS Microsoft Corporation Version: 1.0" Fails on Algorithm 15 ed25519
Bind start it with command line parameters like: named -c named.conf -T mkeytimers=1/6/180 with trust-anchors { } in named.conf. Youll see log entries like: managed-keys-zone: New key 5413 observed for zone '.': starting 30-day acceptance timer; Key 14116 for zone . is now trusted (acceptance timer complete); Trusted key 14244 for zone . is now revoked; Revoked key 14244 for zone . no longer present in DNSKEY RRset: deleting from managed keys database. (a script) Works!
kresd trust_anchors.hold_down_time = 175 * sec, trust_anchors.refresh_time = 10 * sec, trust_anchors.keep_removed = 1




Copyright (c) 2023 RLamb
Permission to use, copy, modify, and/or distribute this software for non-commercial use without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SERVICE AND SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SERVICE OR SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SERVICE OR SOFTWARE.