Woohoo! Google Cloud DNS now with DNSsec!

[mrey...@greenpeace.org]

Very happy to see this. Have been waiting and waiting for years!

Thankyou!

I have setup and am testing under greenpeace.site
All seems fine and dandy to me, passing tests etc.

What I'm wondering about is the planned timelines for
Alpha, then Beta I would guess, then full production.

What I'm also wondering about is what does the usual Alpha
and eventually Beta status do to an existing operating domain?

Is the DNSsec part Alpha/Beta, with the general domain DNS
operating as normal, under a production SLA?

Or, does applying DNSsec to a domain, make the whole
domain then Alpha/Beta?

regards
Mark

[Alex Dupuy]

DNSSEC for Cloud DNS is already in Alpha. See https://cloud.google.com/terms/launch-stages for official definitions of the stages. No official timeline has been announced.

In general, features that are enabled in Alpha would remain enabled for Beta or GA, but APIs are not committed, and may change; in some cases this may mean that data/configuration might need to be migrated, possibly manually (although we try very hard to handle this automatically).

It is unlikely those general concerns would apply for you, unless you were using some of the more advanced features, such as using NSEC instead of NSEC3, or selecting non-default DNSSEC signing algorithms, and at this time we're not aware of any issues even with those.

[Richard Woodbury]

Is the DNSsec part Alpha/Beta, with the general domain DNS
operating as normal, under a production SLA?

Or, does applying DNSsec to a domain, make the whole
domain then Alpha/Beta?

If you enable DNSSEC on a zone, that entire zone is considered Alpha, and is thus not covered by our SLA. This is because validating resolvers will require it to be signed properly, and any bugs could cause validating errors. One of the goals of the Alpha is to invite enthusiastic users such as yourself to help us flush out such bugs. If you received an invitation (or will soon receive one if you signed up for one), you'll see language saying not to use the DNSSEC feature for a production zone during the Alpha.

If you have other zones in your project that do not have DNSSEC turned on, they are not part of the Alpha, and are still covered by our production SLA. In other words, signing up your account for the DNSSEC Alpha doesn't suddenly cause all of your zones to be supported as Best Effort -- only ones where you've enabled DNSSEC.

Of course, once any feature is launched to GA (General Availability), it is fully supported as are all features of the product.

[mrey...@greenpeace.org]

Thanks Richard & Alex. That makes it all very clear to me.

Was wondering, are there any automated tests, or processes, we could be running against our DNSsec domains serviced by Google Cloud DNS in order to provide additional stats and confidence that all is well?

I'm sure google people would be setting them up anyway, but would client side statistics help any?

regards
Mark

[Alex Dupuy]

Mark wrote: 

Was wondering, are there any automated tests, or processes, we could be running against our DNSsec domains serviced by Google Cloud DNS in order to provide additional stats and confidence that all is well?

There are a number of sites that you can use to check various features of DNSSEC, notably http://dnsviz.net/ and https://en.internet.nl/ among many others. However, they aren't really suitable for automation. You may find the API provided by Zonemaster to be useful (Zonalizer uses it, but I can't find the API docs). It may be easier to just use the https://github.com/dotse/zonemaster-cli to generate API queries, and/or https://github.com/dotse/dnssec-monitor (which has a Nagios plugin).

Another possibility for a simple red/green light would be to use the DNS-over-HTTPS API provided by Google Public DNS to query your domains and make sure that they are passing DNSSEC validation and working correctly for the ~10% of the internet using 8.8.8.8 et al. You could even use it to check for soon-to-expire (yellow light) conditions by querying explicitly for DNSKEY and RRSIG records (you'll have to parse the zone file format strings yourself).

I'm sure google people would be setting them up anyway, but would client side statistics help any?

We have internal monitoring and testing, statistics from external sources would not be practicable to integrate into our alerting systems, but for your own confidence (and to make sure that you haven't messed up some configuration) I would suggest that the time you spend setting up your own monitoring would not be wasted. Or you could use a third party monitoring solution like https://www.thousandeyes.com/lps/dns-monitoring—there are others; do a Google search and click on the ads!

[mrey...@greenpeace.org]

Thanks! Lot's to do, and plenty of pointers there!

Reading more about DNSsec, it seems to be a recommendation to have a DNSsec Policy & Practice Statement. As described here :
http://www.internetsociety.org/deploy360/resources/dnssec-practice-statements/

Given the very high level security implications behind DNSsec - having a documented plan outlining your capable and effective and DNSsec setup seems to be common sense.

So while every client of Google Cloud DNS + DNSsec, could/should have their own statement, since the Google Cloud DNS platform is doing all the 'heavy lifting' behind the scenes, (which is what makes it so attractive!) wouldn't it make sense for there to be a high level document along the same lines from Google Cloud Platform?

Of course, this would not likely be required GA stage, but maybe a draft during Beta would be good to get feedback?

Looking at the current GCP DNS SLA, it does not currently cover DNSsec, which is fair enough, since it did not exist then as an option.
https://cloud.google.com/dns/sla

This is the current Verisign DPS covering .com
http://www.verisign.com/assets/dps-com-dnssec-v1.1.pdf?inc=www.verisigninc.com

I am guessing that potential clients of this service will have many questions to do with standard operating practices, like key handling, backups, HSM, etc etc

Looking into GCP DNS DNSsec competitors (AWS & Azure tbc) it seems that GCP DNS is ahead of the pack, so to speak, with making DNSsec available. It also seems that there are serious legislative reasons to offer the service, as discussed on this page.
https://feedback.azure.com/forums/217313-networking/suggestions/13284393-azure-dns-needs-dnssec-support

Given the demand for cloud based, easy to use and setup and maintain DNSsec, and the need for clarity regarding operations & security, having a GCP DNS DPS would make a great deal of sense.

regards
Mark

[s...@momentum.io]

Hi all,

Very excited to hear about DNSSEC support! Where can we sign up for the alpha to help test and provide feedback?

We have a few beta domains we can get started with, as loyal users of previous alphas we understand the SLA impact and it does not bother us :)

-sam

--


------------------------------
This message (and any associated files) may contain confidential and/or
privileged information. If you are not the intended recipient or authorized
to receive this for the intended recipient, you must not use, copy,
disclose or take any action based on this message or any information
herein. If you have received this message in error, please advise the
sender immediately and delete this message. Thank you for your cooperation.

[Richard Woodbury]

On Tuesday, February 14, 2017 at 11:32:50 AM UTC-5, s...@momentum.io wrote:

Very excited to hear about DNSSEC support! Where can we sign up for the alpha to help test and provide feedback?

To sign up, please see the original Alpha announcement:

https://groups.google.com/d/msg/cloud-dns-announce/c7MD0CslHaM/5xf6RXLdCQAJ