DNS Root with accelerated, continually rolling KSK/ZSKs algorithms
- LIVE
RLamb March 2023.
Resurrected Last KSK Roll Mission.
8 May 2023 1500-2300 PDT: site down due to ISP outage
11 Jan 2024 0000-23000 PDT: site down due to ISP outage
Root server current state indicated by red block in first row.
~60 seconds per slot
To test use resolver config
unbound.conf.txt
and
root.hints.txt.
Set initial unbound.root.key.txt to:
. 12 IN DNSKEY 257 3 14 y6DH32L/AP5cfTC9XeB0RTzNw031T4SnxZMVY34O4ghwI2Zx83Hk7g89 wZdV1WSTC9QWnFUk21lNSPwBm7R327Q6rodZNecH8HYQcfUWlk469brc DU0/BWnpfWonbBj5
. 12 IN DNSKEY 257 3 15 y1oeMh48zB28xAzIzdi+xzXeCk+WCSRe37zcvG7T8Mc=
This works for me (you may need to change username/port/etc):
wget http://a.moot-servers.net/unbound.conf.txt http://a.moot-servers.net/root.hints.txt http://a.moot-servers.net/unbound.root.key.txt; unbound -c unbound.conf.txt -d
Then do "dig"s against unbound and see it auto update unbound.root.key.txt
FYI: Double signing could double the size of the root zone file.
Accelerated test root is based on real root pulled down once a day.
Please be nice and dont hit this site/dns too hard! I dont have infinite bandwidth.
Resolver notes:
Not only will you need to set root hints and keys to our test server, but
you will also need to set your resolver specific setting for accelerated
rfc5011 processing. See https://www.co.tt/files/icksk/ how to.
These have likely changed since the first root key rollover. But as
fodder for moving forward:
Unbound add-holddown: 175, del-holddown: 175. Do "cat unbound.root.key.txt" to see what Unbound thinks is valid (eg "[ VALID|APPEND|REVOKED ]" at the end of keys).
watch out for algorithm downgrade attack protections when experimenting.
Works!
Windows Server 2016 and 2022 DNS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters then Edit --> New --> DWORD and creating
TestMode_AccelerateRFC5011Timing and setting the value to 1, and
TestMode_AccelerateKeyRolloverTiming and set value to 1.
See this. Version: "DNS Microsoft Corporation Version: 1.0"
Fails on Algorithm 15 ed25519
Bind start it with command line parameters like: named -c named.conf -T mkeytimers=1/6/180 with trust-anchors { } in named.conf. Youll see log entries like: managed-keys-zone: New key 5413 observed for zone '.': starting 30-day acceptance timer; Key 14116 for zone . is now trusted (acceptance timer complete); Trusted key 14244 for zone . is now revoked; Revoked key 14244 for zone . no longer present in DNSKEY RRset: deleting from managed keys database. (a script)
Copyright (c) 2023 RLamb
Permission to use, copy, modify, and/or distribute this software for
non-commercial use without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all copies.
THE SERVICE AND SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SERVICE OR SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA
OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SERVICE OR SOFTWARE.