[dns-operations] [DNSSEC] Looking for a zone verification tool

[bert hubert]

On Tue, Mar 01, 2011 at 04:01:06PM +0100, Stephane Bortzmeyer wrote:
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?

Hi Stephane,

I too am pondering doing more stringent DNSSEC testing, the aim is to get a
'hostile' tool that will do its utmost to find problems in the serving of a
DNSSEC zone.

Note that I'd love to include the actual *serving* of a zone in the process.

If we look at a DNSSEC signed zone, the RRSIG records are quite simple to
validate from the zone itself, but the NSEC and NSEC3 records require
substantial work by the authoritative server [1].

So I was aiming for a tool that would take the unsigned zone as its input,
calculates the set of queries that deliver all possible responses [2], and
asks & checks all of them.

This in effect means asking all questions that are before the apex of a
zone, within all records of a zone, and after the last record of a zone in
cannonical ordering (for NSEC).

For NSEC3 it entails all questions before, between and after the calculated
hashes.

It also means asking questions for all 2^16 RRTYPEs per record present.

Delegations further complicate the picture.

In short, it is a lot of questions, so I decided not to write this actual
tool right now.

However, if you do go through the effort, I would ask you to consider going
for 'complete validation' by including not just the zone but also the
authoritative server. 

In addition, I hope (& trust ;-)) that you will go for a 'hostile' tool.

Kind regards,

Bert

[1] To the point that NSEC and NSEC3 are almost pointless in a zone - a
nameserver will still have to treat NSEC and NSEC3 specially on queries,
their presence in a zone file is barely helpful.

[2] If we disregard the repetition of the question record, this set is
finite.