[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report

Mark Elkins mje at posix.co.za
Wed Apr 10 20:35:20 UTC 2019 

I've been able to automate DNSSEC on my own systems.
DNSSEC is automated at the SLD's in ZA-Land - and keys are held in real 
HSM's - which are secure.

I've been able to automate working with SSL Certificates with Let's 
Encrypt. This had to be automated as the Certificates are renewed every 
two month and I have a large number of web and some e-mail sites using 
SSL certificates.
SSL Certificates combined with DNSSEC means I also run DANE.

It must be possible to automate - even if it means connecting a timer 
switch to the machine to power up the Offline CA server. Once up - it 
should be able to then power up a usually dead Ethernet port with 
internal only IP addresses - etc -  at a particular time to transfer the 
necessary files - that is - the switching on (and off) and file copy can 
be*initiated from inside *the secured location automatically and 
autonomously. Isn't that what the human operators are meant to, as such, do?

Please think out of the box - I have an automated watering system that 
waters the garden at night, switching on a bore hole and then passing 
the water through nine different watering circuits, some for 20 minutes 
and others for ten minutes - but only if the ground is initially dry (as 
in no recent rain). You should be able to get a stand-alone (not 
controlled by a computer) switch that will turn on once a month.

Automation should be preferred over human intervention. The scripts I 
run generate quite a lot of debugging/tracing output - so I can see that 
everything runs OK and will defer actual updates if checks are not 
passed. If necessary, I can then intervene.

Getting DNSSEC to work reliably took a year or so and working with Let's 
Encrypt also took the best part of a year - as neither are daily events.
Automation over time should be possible though.

Note; the only DNSSEC that I still have to process manually is when 
updating DS records at AFRINIC for number resources via the my.afrinic 
website. :-(


On 2019/04/10 21:29, Noah wrote:
>
>
> On Wed, Apr 10, 2019 at 10:25 PM Amreesh Phokeer <amreesh at afrinic.net 
> <mailto:amreesh at afrinic.net>> wrote:
>
>     Hi Noah,
>
>     > On 10 Apr 2019, at 23:13, Noah <noah at neo.co.tz
>     <mailto:noah at neo.co.tz>> wrote:
>     >
>     > Just curious could a bash/python script + cron locally on the
>     Offline CA box achieve the same level of automation monthly
>     without any manual intervention from humans.
>     >
>     > The human manual involvement can still be automated local to the
>     same offline box imho.
>
>     No because:
>     (1) the Offline CA is kept offline (shutdown) in a secured
>     environment and brought up only at the time of the refresh.
>
>
> There is not way to automate this bruh....
>
>     (2) the box is not physically connected, so the CRLs and MFTs
>     files need to be copied manually to the online repository.
>
>
> Understood.... in this case the humans need to be automated so that 
> they are more efficient until such time when the robots will replace 
> humans :-)
>
>
>>     Amreesh
>
>
> _______________________________________________
> RPKI-Discuss mailing list
> RPKI-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/rpki-discuss

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpki-discuss/attachments/20190410/45e64718/attachment.html>

More information about the RPKI-Discuss mailing list