DNS Root Zone KSK2017 Rollover | CentOS 7 | Bind


Just like changing password, ICANN has decided to rollover DNS root zone KSK2010 to KSK2017.  Root zone Key Signing Key (KSK) is the top cryptographic key on DNSSEC mechanism.


Affected  Systems

You need to bother about it if

✔ You are running recursive/caching only DNS sever

✔ Your DNS server is doing DNSSEC validation

How to be sure your DNS server is validating DNSSEC ? Run below command  from your DNS server cmd

#dig @localhost dnssec-failed.org a +dnssec | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28119

If status = SERVFAIL ; DNSSEC is enabled

If status = NOERROR ; DNSSEC is disabled

Okay. I need to bother. What’s now ?


Solution Steps

The easiest way to make your server prepare for KSK-2017 is by making the server compatible with “Automated Updates of DNS Security (DNSSEC) Trust Anchors” (RFC 5011) and let automated update rollout. Following  steps are the  Redhat family specific

1. Make sure that you are having latest bind packages installed or at least 9.9

# yum install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* epel: ftp.cuhk.edu.hk
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.   On option  /etc/named.conf  dnssec-validation auto;  is configured. You need to restart named service if you are making any change.

That’s it !



Your managed key have KSK2017 ( Key tag 20326).

# cat /etc/named.root.key 
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
#  cat /var/named/dynamic/managed-keys.bind
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                244        ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                ) ; KSK; alg = RSASHA256; key id = 19036
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                ) ; KSK; alg = RSASHA256; key id = 20326



  • https://www.youtube.com/watch?v=d7H1AkC9PIw
  • https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html
  • https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
  • https://www.rfc-editor.org/rfc/rfc8145.txt

IPv6 Reverse DNS Delegation Zone (BIND)

/etc/named.conf options

options {
listen-on port 53 {; };
listen-on-v6 port 53 { ::1; 2000:5a40:0:1::136; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 2000:5a40::/32; };
allow-query-cache { localhost; 2000:5a40::/32; };
recursion yes;

Zone file announcment

zone "0.4.a." IN {
type master;
file "reverse-2000:5A40";
allow-update { none; };
allow-query { any; };

Zone file

$TTL 1h ; Default TTL
@ IN SOA ns1.jalam.me. jasim.alam.jalam.me. (
2018062401 ; serial
1h ; slave refresh interval
15m ; slave retry interval
1w ; slave copy expire time
1h ; NXDOMAIN cache time
; domain name servers
@ IN NS ns1.jalam.me.

; IPv6 PTR entries IN PTR host1.jalam.me. IN PTR host2.jalam.me.


Dont forget to restart bind service

# systemctl restart named


#named-checkconf /etc/named.conf 
# named-checkzone 0.4.a.  /var/named/reverse-2000\:5A40 
zone 0.4.a. loaded serial 2018062401 OK


Some useful tool:

  • http://www.zytrax.com/books/dns/ch3/#ipv6-tool-rev
  • http://rdns6.com/zone


Regenerating Link Local IPv6 Addresses in Mikrotik

IPv6 link local address generate automatically if IPv6 package is enabled.  For enabling IPv6 you may follow this post

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
0 DL fe80::e97:42ff:fef5:7a00/64 ether1 
1 DL fe80::e97:42ff:fef5:7a03/64 ether4 
2 DL fe80::e97:42ff:fef5:7a01/64 ether2 
3 DL fe80::e97:42ff:fef5:7a02/64 ether3 
4 DL fe80::dcac:40ff:feed:b345/64 loopback-1

Unlike IPv4, IPv6 link local address are crucial for routing. So if the address is removed mistakenly it will make routing problem.

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 
3 DL fe80::dcac:40ff:feed:b345/64 loopback-1 
4 G 2000:5a40:0:11::2/126 ether1

As you can see, though static IPv6 is configured on the interface , still the address is showing unreachable

How to regenerate link local IPv6 address on Mikrotik when deleted ?

The solution is quiet simple, simply  reset (disable and re-enable) the interface. This applicable for all type of interface Ethernet/VLAN/bridge. For minimum impact on live traffic you may try following method

/interface ethernet disable 0; enable 0


[admin@Mikrotik] /interface ethernet> /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
0 DL fe80::e97:42ff:fef5:7a03/64 ether4 no 
1 DL fe80::e97:42ff:fef5:7a01/64 ether2 no 
2 DL fe80::e97:42ff:fef5:7a02/64 ether3 no 
3 DL fe80::dcac:40ff:feed:b345/64 lo-1 no 
4 G 2000:5a40:0:11::2/126 ether1 no 
5 DL fe80::e97:42ff:fef5:7a00/64 ether1 no 


DHCPv6: CentOS 7 Server & Mikrotik Client

IPv6 DHCP configuration with CentOS 7 as DHCP server and Mikrotik as DHCPv6 client.

Note: Assumed you already have configured an IPv6 from subnet  on server interface. You may follow this guide.

Subnet:  2000:5a40:0:12::/64

Gateway IP: 2000:5a40:0:12::1/64

Subnet Range: 2000:5a40:0:12::100-200


  1. Verify that, DHCP package is installed
# yum list installed | grep dhcp

dhcp.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-common.x86_64 12:4.2.5-68.el7.centos.1 @updates
dhcp-libs.x86_64 12:4.2.5-68.el7.centos.1 @updates

If not installed, you may install via yum

# yum install -y dhcp


2. Edit configuration file and restart service

# vi /etc/dhcp/dhcpd6.conf

default-lease-time 3600; # 1 hour
max-lease-time 86400; # 1 day
allow leasequery;
dhcpv6-lease-file-name “/var/lib/dhcpd/dhcpd6.leases”;

subnet6 2000:5a40:0:12::/64 {
#any of following range declaration format is supported
#range6 2000:5a40:0:12::100 2000:5a40:0:12::200;
range6 2000:5a40:0:12::100/120;
option dhcp6.name-servers 2001:4860:4860::8888;
option dhcp6.domain-search "jalam.me";

# systemctl start dhcpd6

# systemctl enable dhcpd6


3. Mikrotik client configuration

IPv6 is disabled on Mikrotik by default.

Mikrotik Default Package Status

If disable enable the package and reboot the router

configuration on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client add interface=ether2 request=address


4. verification

on Mikrotik

[admin@Mikrotik] > /ipv6 dhcp-client print 

Flags: D - dynamic, X - disabled, I - invalid 
0 ether2      bound    address           2000:5a40:0:12::1d6, 51m45s 

[admin@Mikrotik] > /ipv6 address print 
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local 
0 DL fe80::e97:42ff:fef5:7a00/64             ether1     no 
1 DL fe80::e97:42ff:fef5:7a02/64             ether3     no 
2 DL fe80::e97:42ff:fef5:7a03/64             ether4     no 
3 DL fe80::e97:42ff:fef5:7a01/64             ether2     no 
4 DG 2401:5a40:0:12::1d6/64                  ether2     no 

[admin@Mikrotik] > ping 2401:5a40:0:12::1 count=1 

SEQ  HOST               SIZE   TTL   TIME   STATUS 
0    2401:5a40:0:12::1   56    64    3ms    echo reply 

sent=1 received=1 packet-loss=0% min-rtt=3ms avg-rtt=3ms max-rtt=3ms 

on server

# cat /var/lib/dhcpd/dhcpd6.leases

# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.5

server-duid "\000\001\000\001\"\265\204\217\000\014)\\f\025";

ia-na "\002\000\000\000\000\003\000\001\014\227B\365z\000" {
cltt 5 2018/06/15 10:42:22;
iaaddr 2000:5a40:0:12::1d6 {
binding state active;
preferred-life 2250;
max-life 3600;
ends 5 2018/06/15 11:42:22;



  • https://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ch22s06.html
  • https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client


Static IPv6 Configuration on CentOS 7

  1. Enabling IPv6

IPv6 enabled on CentOS 7 by default. You can verify status

# cat /proc/net/if_inet6 

00000000000000000000000000000001 01 80 10 80 lo 24015a40000000120000000000000100 02 40 00 80 ens33 fe80000000000000020c29fffe5c6601 03 40 20 80 ens38 fe80000000000000020c29fffe5c66f7 02 40 20 80 ens33

If /proc/net/if_inet6 doesn’t exist try to load the kernel module

# modprobe ipv6
# lsmod | grep ipv6

or add grub entry (reboot required)

# echo 'GRUB_CMDLINE_LINUX="ipv6.disable=0"' /etc/default/grub
# grub2-mkconfig -o /boot/grub2/grub.cfg
# shutdown -r now

also make sure ipv6 isn’t disabled manually in kernel

# sysctl net.ipv6.conf.all.disable_ipv6 = 0
# sysctl net.ipv6.conf.default.disable_ipv6 = 0
# sysctl -p


2. Configuring static IPv6. 
# vi /etc/sysconfig/network-scripts/ifcfg-ens33

#append below lines

# systemctl disable NetworkManager
# systemctl stop NetworkManager
# systemctl enable network
# systemctl start network
3. Verification
# ip a s | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 add show | grep inet6

inet6 ::1/128 scope host 
inet6 2000:5a40:0:12::100/64 scope global 
inet6 fe80::20c:29ff:fe5c:66f7/64 scope link 
inet6 fe80::20c:29ff:fe5c:6601/64 scope link

#ip -6 route show

unreachable ::/96 dev lo metric 1024 error -113 
2000:5a40:0:12::/64 dev ens33 proto kernel metric 256 
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 
fe80::/64 dev ens33 proto kernel metric 256 
fe80::/64 dev ens38 proto kernel metric 256
default via 2000:5a40:0:12::1 dev eth1 metric 1 pref medium

# ping6 2000:5a40:0:12::1 -c 1

PING 2000:5a40:0:12::1(2000:5a40:0:12::1) 56 data bytes
64 bytes from 2000:5a40:0:12::1: icmp_seq=1 ttl=64 time=2.03 ms

--- 2000:5a40:0:12::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.032/2.032/2.032/0.000 ms


Secure Zimbra Server from Memcached Attack

Memcached vulnerability made big fuss this year. Zimbra  use Memcached for distributed memory caching on proxy environment. Out of the box  Zimbra act as open Memcached proxy by listening  and responding to all requests.

Checking Vulnerability

To check whether your server is vulnerable .

Telnet from outside network. If following respond blank screen than its vulnerable

 telnet <IP of zimbra server> 11211

or run Nmap from outside network

nmap <IP of zimbra server> -p 11211 --script memcached-info

Sample Nmap result of vulnerable server

Memcached vulnerable server


Any one of following method can be used

  1. If the server behind a firewall drop all incoming/outgoing connection on TCP/UDP  port 11211 from untrusted to DMZ zone.
  2. If  the server isn’t under firewall, you are running netfilter you can use following iptables rule.
iptables -I INPUT -p udp -s --dport 11211 -j ACCEPT 
iptables -I INPUT -p tcp -s --dport 11211 -j ACCEPT 
iptables -I INPUT -p udp --dport 11211 -j DROP 
iptables -I INPUT -p tcp --dport 11211 -j DROP
service iptables save

3. If you don’t want you use none of above, you can just make Zimbra Memcached service listen to localhost only

su - zimbra
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedBindAddress 
/opt/zimbra/bin/zmprov ms `zmhostname` zimbraMemcachedClientServerList
zmmemcachedctl restart

Before status

Before status

After status

After status



Run the same Nmap script again. It should look like this

nmap verification


References :

  1. https://wiki.zimbra.com/wiki/Blocking_Memcached_Attack
  2. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/