Ga naar 'Home'


672 artikelen

  1. Monitoring signature expiration online

    One of the things we discovered while we were rolling out our deployment is that it is very important to monitor the availability of signed zones (see also this post by Migiel de Vos on monitoring). We have deployed default monitoring based on Nagios, with checks that verify if all signer components are running. One of the things we cannot check that way is whether signatures are valid for long enough. And that is a very important indicator of the status of the signer. Even if the signer daemon is running, that does not guarantee that it is actually resigning the zone correctly.
    Screenshot of computer settings
  2. Monitoring DNSSEC

    DNS is currently a “once it runs, never touch it again” infrastructure. This changes with the introduction of DNSSEC. Managing a DNSSEC signed zone involves a continuous effort of resigning zones and generating key material. Apart from that, DNS is a fundamental Internet protocol, thus the changes required to implement DNSSEC have an impact at many levels of the Internet infrastructure. In turn, DNSSEC is affected by many network elements. The result of this is that there are potentially some operational issues that might affect a DNSSEC signed zone.
    Student aan het werk op laptop