[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
Mark Andrews
Mark_Andrews at isc.org
Wed Jan 9 00:22:27 UTC 2008
> * Patrik F=E4ltstr=F6m wrote:
> > error is found (by someone), what should happen? Should as a last =
>
> > resort the domain be withdrawn?
>
> As the starter of this subthread, I'd like to clarify my personal clash with
> the AFNIC domain checking tools. First we had several problems, due to
> misconfigurations in ipv6 reverse zones, hidden primaries etc. pp. in order
> to get the FR delegation fly.
>
> After a long time, I switch the NS of this zone to DNSSEC validation and to
> use the signed root. In consequence we received an e-mail explaining, that
> the server does not respond with the ICANN servers for "." and the zone was
> not longer delegated from FR. I was somewhat surprised. This server is now
> one of the few non validation servers. I do not know what really happend, it
> might be the registrars fault or something more obscure, but I deeply
> remember the connection between DNSSEC and FR delegation removal ...
See the DS check comment below.
These are the sorts of checks I'd like to see. Note this
is for a IPv4 nameserver. Adjust as appropriate for a IPv6
nameserver.
dig NS <zone> @<IPV4> +norec
dig NS <zone> -b#0.0.0.0#53 @<IPV4> +norec
dig NS <zone> -b#0.0.0.0#1024 @<IPV4> +norec
<more suspect source ports>
dig NS <zone> @<IPV4> +norec +dnssec
dig NS <zone> @<IPV4> +norec +dnssec
(need two as some servers drop second EDNS query)
dig A <zone> @<IPV4> +norec
dig A <zone> @<IPV4> +norec +dnssec
dig A <zone> @<IPV4> +norec +dnssec
(explicity check for A records as there may be a misconfigured
load balancer in front of an otherwise correctly configured
server).
dig SOA <zone> @<IPV4> +norec
dig AAAA <zone> @<IPV4> +norec
(IPv6 exists)
dig MX <zone> @<IPV4> +norec
dig DS <zone> @<IPV4> +norec
(Here is where a root referral may happen)
Glue checks for all requires glue.
dig A <nameserver> @<IPV4> +norec
(note nameserver may be in a child zone so you may get
a referral, follow referral and requery.)
dig AAAA <nameserver> @<IPV4> +norec
Check that sibling glue is held and is correct.
DNSSEC checks added here.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list