[dns-operations] Debugging DNSSEC

[Edward Lewis]

At 16:03 +0100 12/22/11, Laurent Bauer wrote:

>I am not quite familiar with DNSSEC debugging yet,

No worries, not many people are. ;)

During the workshop days (up to about 2006) I used to do a lot of 
debugging of DNSSEC and came up with some tricks.

First, if you get SERVFAIL, try to determine why.  The way to do this 
is to ask again with "dig +cd +norec".  If the response looks like a 
referral then you aren't getting to the server you need.  If the 
response looks like the answer you want, it's a DNSSEC validation 
error.

If the latter, the second thing to do is to walk down the tree.  If 
you are starting with the root, try a series of:

dig @recursive_resolver . SOA to see if the AD appears.

Then try "TLD SOA" and maybe "SLD.TLD SOA".  Once you get get a 
failure, then be more granular, look for SOA, NS, DS, DNSKEY and so 
on.  Eventually you can narrow down what record failed.

This is just a brief (email size) suggestion.  There's a myriad of 
ways things can go wrong, begin by trying to find the point at which 
the chain breaks and then you can go on to figuring out why.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Vote for the word of the day:
"Papa"razzi - father that constantly takes photos of the baby
Corpureaucracy - The institution of corporate "red tape"