[RPKI-Discuss] [Community-Discuss] 06 April 2019 RPKI incident - Postmortem report
mje at posix.co.za
Wed Apr 10 20:35:20 UTC 2019
I've been able to automate DNSSEC on my own systems.
DNSSEC is automated at the SLD's in ZA-Land - and keys are held in real
HSM's - which are secure.
I've been able to automate working with SSL Certificates with Let's
Encrypt. This had to be automated as the Certificates are renewed every
two month and I have a large number of web and some e-mail sites using
SSL Certificates combined with DNSSEC means I also run DANE.
It must be possible to automate - even if it means connecting a timer
switch to the machine to power up the Offline CA server. Once up - it
should be able to then power up a usually dead Ethernet port with
internal only IP addresses - etc - at a particular time to transfer the
necessary files - that is - the switching on (and off) and file copy can
be*initiated from inside *the secured location automatically and
autonomously. Isn't that what the human operators are meant to, as such, do?
Please think out of the box - I have an automated watering system that
waters the garden at night, switching on a bore hole and then passing
the water through nine different watering circuits, some for 20 minutes
and others for ten minutes - but only if the ground is initially dry (as
in no recent rain). You should be able to get a stand-alone (not
controlled by a computer) switch that will turn on once a month.
Automation should be preferred over human intervention. The scripts I
run generate quite a lot of debugging/tracing output - so I can see that
everything runs OK and will defer actual updates if checks are not
passed. If necessary, I can then intervene.
Getting DNSSEC to work reliably took a year or so and working with Let's
Encrypt also took the best part of a year - as neither are daily events.
Automation over time should be possible though.
Note; the only DNSSEC that I still have to process manually is when
updating DS records at AFRINIC for number resources via the my.afrinic
On 2019/04/10 21:29, Noah wrote:
> On Wed, Apr 10, 2019 at 10:25 PM Amreesh Phokeer <amreesh at afrinic.net
> <mailto:amreesh at afrinic.net>> wrote:
> Hi Noah,
> > On 10 Apr 2019, at 23:13, Noah <noah at neo.co.tz
> <mailto:noah at neo.co.tz>> wrote:
> > Just curious could a bash/python script + cron locally on the
> Offline CA box achieve the same level of automation monthly
> without any manual intervention from humans.
> > The human manual involvement can still be automated local to the
> same offline box imho.
> No because:
> (1) the Offline CA is kept offline (shutdown) in a secured
> environment and brought up only at the time of the refresh.
> There is not way to automate this bruh....
> (2) the box is not physically connected, so the CRLs and MFTs
> files need to be copied manually to the online repository.
> Understood.... in this case the humans need to be automated so that
> they are more efficient until such time when the robots will replace
> humans :-)
> RPKI-Discuss mailing list
> RPKI-Discuss at afrinic.net
Mark James ELKINS - Posix Systems - (South) Africa
mje at posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI-Discuss