[dns-operations] [DNSSEC] Looking for a zone verification tool
bert hubert
bert.hubert at netherlabs.nl
Tue Mar 1 15:38:46 UTC 2011
On Tue, Mar 01, 2011 at 04:01:06PM +0100, Stephane Bortzmeyer wrote:
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
Hi Stephane,
I too am pondering doing more stringent DNSSEC testing, the aim is to get a
'hostile' tool that will do its utmost to find problems in the serving of a
DNSSEC zone.
Note that I'd love to include the actual *serving* of a zone in the process.
If we look at a DNSSEC signed zone, the RRSIG records are quite simple to
validate from the zone itself, but the NSEC and NSEC3 records require
substantial work by the authoritative server [1].
So I was aiming for a tool that would take the unsigned zone as its input,
calculates the set of queries that deliver all possible responses [2], and
asks & checks all of them.
This in effect means asking all questions that are before the apex of a
zone, within all records of a zone, and after the last record of a zone in
cannonical ordering (for NSEC).
For NSEC3 it entails all questions before, between and after the calculated
hashes.
It also means asking questions for all 2^16 RRTYPEs per record present.
Delegations further complicate the picture.
In short, it is a lot of questions, so I decided not to write this actual
tool right now.
However, if you do go through the effort, I would ask you to consider going
for 'complete validation' by including not just the zone but also the
authoritative server.
In addition, I hope (& trust ;-)) that you will go for a 'hostile' tool.
Kind regards,
Bert
[1] To the point that NSEC and NSEC3 are almost pointless in a zone - a
nameserver will still have to treat NSEC and NSEC3 specially on queries,
their presence in a zone file is barely helpful.
[2] If we disregard the repetition of the question record, this set is
finite.
More information about the dns-operations
mailing list