[dns-operations] Online DNSSEC debugging tool now availalbe

Chris Thompson cet1 at cam.ac.uk
Tue Mar 1 16:31:04 UTC 2011


Duane,

I hope you are still receiving bug/infelicity reports on this
very useful checking utility.

>With todays conversion to a validatable root zone, I'm pleased to announce
>the availability of an online tool to assist in debugging DNSSEC issues:
>
>http://dnssec-debugger.verisignlabs.com
>
>Please give it a try if you have a chance.  I'd be happy to receive your
>questions and feedback.

I have noticed that it gets confused about zone boundaries when a
parent and child zone are both served from the same nameserver(s).
Thus when looking up (say) 111.131.in-addr.arpa, it will (usually)
say that it can't find a DS record for "in-addr.arpa" in ".",
failing to realise that it should have been looking for one in
"arpa". If it chooses a root-server that is still serving
"in-addr.arpa" as well as "arpa", it may even say that it can't
find one for "131.in-addr.arpa" in ".", skipping two levels of
delegation.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.



More information about the dns-operations mailing list