Mark Andrews wrote:
How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center
issue for help desks everywhere pretty quick. Ideally the more we can
stave off issues through proactive testing/fixing the better.
Make the following queries from your recursive servers. If you
force the query source in the nameserver add a "-b <address>" to
dig -4 ns . +norec @l.root-servers.net
dig -4 ns . +dnssec +cd +norec @l.root-servers.net
dig -4 any . +dnssec +cd +norec @l.root-servers.net
dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc
If any of them fail you need to fix your middleware and / or firewall
on the box.
The first +dnssec query checks that unfragmented DNSSEC responses
over 512 bytes are passed. I get 801 bytes today when I run this
The second +dnssec query checks that fragmented DNSSEC responses are
passed. I get 1906 bytes today when I run this test.
The third +dnsec query checks that DNSSEC responses over TCP are
The non +dnssec query is a control query to check that you can reach
Repeat for IPv6.
dig -6 ns . +norec @l.root-servers.net
dig -6 ns . +dnssec +cd +norec @l.root-servers.net
dig -6 any . +dnssec +cd +norec @l.root-servers.net
dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
Thank you. That's a nice quick/dirty test.
All 4 commands worked.
If folks are curious, my setup is Ubuntu 9.10 client, Ubuntu 9.10 server
running bind and a cisco 1841 running 12.4(18). I don't have a Windows
box handy to test on. How would one test with nslookup anyway? Or does
it only matter if the local DNS server can do the lookup and clients
will just work? Though one would still need to test from Windows if you
have AD for DNS I suppose. *shrugs*
Ok.... that's the client side.
How about the server side?
I'm currently using my registrars DNS servers. I haven't seen anything
in their control panel about DNSSEC. One item on my TODO list is to move
DNS to my BIND servers.
Quick search turns up
[Debian Sarge] Installing A Bind9 Master/Slave DNS System which
mentions a few commands and couple stanzas. Is that all it takes?
How do you verify that you are .... compliant? complete? I mean SSL
based PKI is pretty straightforward and I understand it and can verify
that I'm compliant/complete (run my own ca, issue certs, delegate trust
etc). Guess I need to do more reading on DNSSEC and how to integrate
into the global DNSSEC infrastructure (such as it is and will emerge to
be). I have a test domain that I use for things like this. I would like
to setup DNSSEC and then positively/negatively test it. Just not sure
how. Presumably one should attempt to MITM the request and make sure the
resolver complains yes?
This is at my home network and as such I have a great degree of
latitude. For folks who have managers to report to, what are the
justifications for deploying DNSSEC?
I think one would do it in stages
1)Make sure their infrastructure can at least handle the DNS protocol
changes that DNSSEC brings about (ie the 4 test commands above pass)
2)Implement a parallel environment with and without DNSSEC (is this
3)Sign their records.
Anyway just some thoughts.
Thanks to folks who have responded so far.