| Q: |
What does consistency mean? |
| A: |
The consistency is the percentage of active pollers who found
identical data for a given data set. If any data item from a set of
data observed by the pollers differs, those sets are considered
inconsistent.
|
| Q: |
What is a stale RRset? |
| A: |
A stale RRset is an RRset that is vulnerable to replay. This
occurs when an already-signed RRset is resigned while it's previous
signature is still valid AND the new RRset has new values. An example
would be if a DNSKEY set is signed for a month, and during that month
(say on day 2) an existing DNSKEY is replaced (or the set is just
augmented with a new DNSKEY). In any similar case, the RRset has
changed, but the old signature will still verify it for the remainder
of the month. We call this set "stale."
|
| Q: |
How do you determine DNSKEY lifetime? |
| A: |
The RRSIG attached to the DNSKEY RRset determines the DNSKEY lifetime.
|
| Q: |
How do you determine trust anchors? |
| A: |
We look for DS records for a zone's keys in the parent zone. If we
locate any, we attempt to cryptographically verify them. If at least
one of the records is verified to be correct, the parent zone is
considered the trust anchor.
|
| Q: |
How do you determine islands of trust? |
| A: |
We trace all trust delegations (i.e., DS records) as far up the DNS
hierarchy as possible. Once we reach a zone whose parent does not
contain a DS record, we consider that zone the trust anchor for an
island of trust. All zones for which there is a delegation chain from
that anchor are considered parts of the island.
|
| Q: |
What is the format for the DS and DNSKEY record files |
| A: |
Please refer to the usage page.
|
| Q: |
How do I use the signed DS and DNSKEY record files? |
| A: |
We provide cryptographic signatures for the DS and DNSKEY records so
end-users can verify that the data values have not been tampered with.
In order to verify them, you need PGP software (such as
GPG) and our public key, which can be
found on the main page. Please refer to the documentation for your
PGP software to see how to verify signatures.
|
| Q: |
What is your DLV repository and how can I use it? |
| A: |
The SecSpider DLV repository contains DLV records for each zone
that has 100% consistency across our pollers. What that means is that if
we query a zone and we see the same DNSKEY RRset from all of our
pollers, we consider the key-set to "consistent" and we generate
a DLV record for each key in the set. DLV records act
as fingerprints for DNSKEYs. They are fully specified in
RFC 5074.
This information is loaded into our signed zone as DLV records
and they can be queried for by issuing the command:
dig <zone name>.dlv.secspider.cs.ucla.edu dlv
An example would be:
dig se.dlv.secspider.cs.ucla.edu dlv
The simple 3 minute guide to enabling DLV validation using SecSpider is:
- Make a copy of your named.conf file to be safe: cp named.conf named.conf.`date +%s`
- Get our key-fetch script: keygrab.pl
- Pick a place where you would like to store SecSpider's DLV trust anchor as a file (such as next to your named.conf file).
Say: /etc/named/secspider-trust-anchor.conf and then run the keygrab.pl:
./keygrab.pl > /etc/named/dlv-secspider-trust-anchor.conf
- Open you named.conf file in a text editor and modify the options{ } section of this file and add (or make sure to include):
dnssec-enable yes;
dnssec-validation yes; // BIND 9.4 and later
dnssec-lookaside . trust-anchor dlv.secspider.cs.ucla.edu;
- Next (while still in named.conf), add a line (outside the options{ ... } block to include the SecSpider trust anchor:
options {
...
};
include "/etc/named/secspider-trust-anchor.conf";
- Exit the editor and make sure BIND understands the conf file: named-checkconf named.conf
- If there were no complaints, restart BIND and you should be verifying!
- Once you are happy, it might be a good idea to re-fetch the SecSpider key every so often. You can cron the above keygrab.pl command and restart your BIND server periodically.
Note: this guide was heavily influenced
by several instructive tutorials that describe how to actually
configure your resolver to use our repository. A good candidate is:
this
one. Just replace the references to dlv.<...>.org. with
dlv.secspider.cs.ucla.edu.
|
| Q: |
Can we access your raw data? |
| A: |
Yes, contact us to work out the details.
|
| Q: |
What is a "Production" zone? |
| A: |
SecSpider attempts to separate DNSSEC test zones from those that seem
to be production. The goal is to aid people in finding information
about zones, and to differentiate between behaviors seen in actual
deployments, and test-zone behavior.
When we crawl our list of zones, we also test each zone to see if
it has been configured with either a "www" A record, or
an MX record, and if either of them are online and accepting connections.
Any zone that meets these criteria is considered a "Production"
zone. In order to correct for zones that are in production, but are
missed by our automated tests, we offer the option for users to specify
that a zone is production (regardless of whether is has a www or MX
record, etc.).
|
SecSpider the DNSSEC Monitoring Project
