Skip to content

Instantly share code, notes, and snippets.

@k-oguma

k-oguma/KSK-rollover-pre-checker.md

Created October 10, 2018 08:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save k-oguma/4eef3d2d55a203feb3b24ef2023d708a to your computer and use it in GitHub Desktop.
Save k-oguma/4eef3d2d55a203feb3b24ef2023d708a to your computer and use it in GitHub Desktop.
Download ZIP
DNS: KSK Rollover pre-checker
Raw
KSK-rollover-pre-checker.md

Base

Confirm enabled of the DNSSEC validation

dig dnssec-failed.org a +noall +dnssec +comments

If following received include: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL The resolver is performing DNSSEC validation. (The status "SERVFAIL" means that the verification failed, but the verification itself is actually done.)

If following received include: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR The resolver is not performing DNSSEC validation.

Confirm EDNS0 and possible receives of large size DNS reply

dig +bufsize=4096 +short rs.dns-oarc.net txt

k8s

e.g.

% kubectl get pod -o json | jq '.items[].metadata.name' | xargs -I% kubectl exec % /usr/bin/dig dnssec-failed.org a +noall +dnssec +comments

Ansible

e.g.

ansible -i ./gce.pl all -m shell -a "dig dnssec-failed.org a +noall +dnssec +comments"

Consul

  • If the consul-exec command is valid. e.g.
counsul exec "dig dnssec-failed.org a +noall +dnssec +comments"

cf. And it resolve issues if problem happen by KSK-rollover

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment