Monitoring DNSSEC
DNSSEC is quickly becoming a vital cornerstone for internet security. Its proper functioning involves regular zone re-signing, to avoid expiration of signatures. This is a very useful thing to monitor. We ask you to develop a monitoring system for DNSSEC.
What DNSSEC does
The use of DNSSEC is that it signs DNS information. A chain of signatures reaches all the way down from the root nameservers, whose public key is “widely distributed and well-known”. To take part in this scheme, zones that roll out DNSSEC sign up with their parent zone for a “secure delegation”. When delegation is secure, the zone will go offline if anything about its DNSSEC is behaving badly. For example, when the short-lived signatures on DNS records expire without being refreshed in time.
This clearly calls for monitoring. A solution like OpenDNSSEC will make sure to re-sign zone data some time before a signature expires; if this is getting late, an alert from a monitoring system can help to take measures in time.
Construct a MIB for SNMP
There are many monitoring sytems, and they all do pretty much the same; the only offical standard is SNMP, which is indeed compatible with all those other systems. SNMP has a ((…sub-)sub-)numbering scheme for all sorts of “objects” that can be monitored, and assigns meanings to those numbers through a so-called Management Information Base schema. It is common practice to define tables indexed by certain data, and to retrieve entire tables or indexed rows.
We are asking you to construct a MIB that delivers all zones that are being signed, plus vital information about their well-being. Candidates of this vital information would be the oldest signature in a zone, the signature on the SOA record, and the SOA record itself. Please consider these as well as other warning signs that may be valuable to the proper functioning of DNSSEC. Many tools have been constructed, but what we are looking for is an integrated SNMP-compliant specification for the well-being of a zone’s DNSSEC. For inspiration, you can read https://wiki.opendnssec.org/display/DOCS/kasp.xml
We suggest that you list a table, indexed by zone names, and presenting what you derived as being their relevant state. The MIB should in fact be general enough to list unsigned zones, whose SOA may be interesting but whose DNSSEC status would of course be recognisably different from properly signed zones.
Build and Demonstrate a Proof of Concept
We ask you to implement the MIB in a proof-of-concept implementation, perhaps in Python. The implementation can be run as an AgentX sub-agent (RFC 2741), which takes care of most of SNMP’s protocol frivolities. You would simply respond to inquiries, including searches for zones and table entries. In addition, alert states could be detected through regular local polling, and cause an "SNMP Trap” to be sent to a monitoring station.
There are various architectural approaches to monitoring DNSSEC. Investigate options; to name two, you could inspect configuration files of a tool like OpenDNSSEC or ZKT or you could extract information from DNS authoritatives. Discuss your preference and selection for implementation.
Install the Zabbix monitoring system, and configure it to retrieve the tables over SNMP, and demonstrate that they give early warnings. Define and demonstrate a template that the system can use to automatically discover your tables by searching through the number range of your MIB, perhaps from a template.
Aim for as little effort as possible for dealing with additional domains, the ideal being full automation. Even if your monitoring system does not support it (yet), you want to take care of a smarter one by supporting automatic discovery based on your MIB.
Research Questions
-
What are vital life signs for monitoring DNSSEC?
-
What are vital ilfe signs for monitoring DNS?
-
How to construct a MIB for DNSSEC?
-
How to conduct monitoring based on such a MIB?
-
How do architectures for monitoring DNSSEC compare?