[dns-operations] dns-operations Digest, Vol 62, Issue 1; DNSSEC Zone Verification Tool
Fred Hill
fred.hill at datamtnsol.com
Tue Mar 1 18:17:52 UTC 2011
We provide a free DNSSEC zone verification tool at the link
below:
http://www.dnssecreport.com/DNSSECReport/index.aspx
Regards,
--
Fred Hill
President
Data Mountain Solutions, Inc.
(301) 529-2039
www.datamtn.com
Hello dns-operations-request at lists.dns-oarc.net,
Send dns-operations mailing list submissions to
dns-operations at lists.dns-oarc.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
or, via email, send a message with subject or body 'help' to
dns-operations-request at lists.dns-oarc.net
You can reach the person managing the list at
dns-operations-owner at lists.dns-oarc.net
When replying, please edit your Subject line so it is more
specific
than "Re: Contents of dns-operations digest..."
Today's Topics:
1. [DNSSEC] Looking for a zone verification tool
(Stephane Bortzmeyer)
2. Re: .com DNSSEC operational message (Matt Larson)
3. Re: [DNSSEC] Looking for a zone verification tool (Miek
Gieben)
4. Re: [DNSSEC] Looking for a zone verification tool (Warren
Kumari)
5. Re: [DNSSEC] Looking for a zone verification tool (bert
hubert)
6. Re: [DNSSEC] Looking for a zone verification tool
(Stephane Bortzmeyer)
7. Re: Online DNSSEC debugging tool now availalbe (Chris
Thompson)
8. Re: [DNSSEC] Looking for a zone verification tool
(Wolfgang Nagele)
9. Re: Online DNSSEC debugging tool now availalbe (Wessels,
Duane)
----------------------------------------------------------------------
Message: 1
Date: Tue, 1 Mar 2011 16:01:06 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
To: dns-operations at mail.dns-oarc.net
Subject: [dns-operations] [DNSSEC] Looking for a zone
verification
tool
Message-ID: <20110301150106.GA28501 at nic.fr>
Content-Type: text/plain; charset=iso-8859-1
Following two serious DNSSEC incidents (see
<http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html>,
a longer report will be delivered by Vincent Levigneron at the
OARC
workshop in San Francisco
<https://www.dns-oarc.net/oarc/workshop-201103>), I am looking
for a
zone validation tool, able to take a signed zone in RFC 1035
format
and tests that it is consistent. More specific requirments are:
1) runs on Unix
2) Free software (as in free speech, not as in free beer)
3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
4) allows for delegation zones of > 1 Mdomains, with at least
30?% of
them signed
With these requirments, I tested:
* BIND named-checkzone: it does not seem to have any DNSSEC
support. Fails requirment 3
* Verisign <http://www.verisignlabs.com/dnssec-tools/>: works
fine on
a test zone that I rendered deliberately invalid, but crashes
on .FR
with an out-of-memory error. Fails requirment 4
* OpenDNSSEC Auditor: off-topic because it does not test the
zone in
itself but its compliance to the local policy. Anyway, it runs
forever
with .FR. Fails requirment 4
* ldns ldns-verify-zone: works fine on a test zone that I
rendered
deliberately invalid. Seems to run forever on .FR (which is
signed
with opt-out so has only 40 signatures). Twenty minutes of
Intel Core
2 CPU and still running. Fails requirment 4
Currently, I tend towards writing a new program in C, better
optimized, with the ldns library
<http://www.nlnetlabs.nl/projects/ldns/>. Advices?
------------------------------
Message: 2
Date: Tue, 1 Mar 2011 10:03:17 -0500
From: Matt Larson <mlarson at verisign.com>
To: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] .com DNSSEC operational message
Message-ID: <20110301150316.GD90622 at DUL1MLARSON-M2.labs.vrsn.com>
Content-Type: text/plain; charset=us-ascii
On Fri, 28 Jan 2011, Matt Larson wrote:
> The .com DNSSEC deployment consists of the following major milestones:
> [...]
> February 28, 2011: A deliberately unvalidatable .com zone will be
> published. Any DS records for .com that have been submitted by
> registrars will be published in the deliberately unvalidatable zone.
FYI, the deliberately unvalidable .com zone started its rollout
yesterday on schedule:
$ dig +short @m.gtld-servers.net dnskey com
257 3 8
AwEAAa9Lp++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU
LD/NOT/BE/USED/CONTACT/INFO/AT/VERISIGN+GRS/DOT/COM+++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++8=
256 3 8
AwEAAa2CM++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU
LD/NOT/BE/USED/CONTACT/INFO/AT/VERISIGN+GRS/DOT/COM+++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++8
(Note that some .com/.net servers are anycast, so the version of
m.gtld-servers.net that you see might not have the signed and
blinded
zone yet.)
Matt
------------------------------
Message: 3
Date: Tue, 1 Mar 2011 16:26:22 +0100
From: Miek Gieben <miek.gieben at sidn.nl>
To: <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone
verification
tool
Message-ID: <20110301152622.GF3128 at login.sidn.nl>
Content-Type: text/plain; charset="us-ascii"
[ Quoting Stephane Bortzmeyer in "[dns-operations] [DNSSEC]
Looking f"... ]
> With these requirments, I tested:
>
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
>
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
>
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
>
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
>
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
I would very much like to work with you to see if we can get
ldns-verify-zone up to par for the .fr zone.
grtz,
--
Miek Gieben
Technical Advisor SIDN
------------------------------
Message: 4
Date: Tue, 1 Mar 2011 10:30:37 -0500
From: Warren Kumari <warren at kumari.net>
To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone
verification
tool
Message-ID: <B3F6AB81-D097-4153-87AD-B9A471E0B2A8 at kumari.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed;
delsp=yes
Does Donuts (https://www.dnssec-tools.org/wiki/index.php/Donuts
(and
related)) not fit all of these requirements? I haven't tried it
with a
huge zone, but I think it might be happy...
W
On Mar 1, 2011, at 10:01 AM, Stephane Bortzmeyer wrote:
> Following two serious DNSSEC incidents (see
> <http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html
> >,
> a longer report will be delivered by Vincent Levigneron at the OARC
> workshop in San Francisco
> <https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
> zone validation tool, able to take a signed zone in RFC 1035 format
> and tests that it is consistent. More specific requirments are:
>
> 1) runs on Unix
> 2) Free software (as in free speech, not as in free beer)
> 3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
> 4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
> them signed
>
> With these requirments, I tested:
>
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
>
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
>
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
>
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
>
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
Hope is not a strategy.
-- Ben Treynor, Google
------------------------------
Message: 5
Date: Tue, 1 Mar 2011 16:38:46 +0100
From: bert hubert <bert.hubert at netherlabs.nl>
To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone
verification
tool
Message-ID: <20110301153846.GC3488 at xs.powerdns.com>
Content-Type: text/plain; charset=us-ascii
On Tue, Mar 01, 2011 at 04:01:06PM +0100, Stephane Bortzmeyer
wrote:
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
Hi Stephane,
I too am pondering doing more stringent DNSSEC testing, the aim
is to get a
'hostile' tool that will do its utmost to find problems in the
serving of a
DNSSEC zone.
Note that I'd love to include the actual *serving* of a zone in
the process.
If we look at a DNSSEC signed zone, the RRSIG records are quite
simple to
validate from the zone itself, but the NSEC and NSEC3 records
require
substantial work by the authoritative server [1].
So I was aiming for a tool that would take the unsigned zone as
its input,
calculates the set of queries that deliver all possible
responses [2], and
asks & checks all of them.
This in effect means asking all questions that are before the
apex of a
zone, within all records of a zone, and after the last record
of a zone in
cannonical ordering (for NSEC).
For NSEC3 it entails all questions before, between and after
the calculated
hashes.
It also means asking questions for all 2^16 RRTYPEs per record
present.
Delegations further complicate the picture.
In short, it is a lot of questions, so I decided not to write
this actual
tool right now.
However, if you do go through the effort, I would ask you to
consider going
for 'complete validation' by including not just the zone but
also the
authoritative server.
In addition, I hope (& trust ;-)) that you will go for a
'hostile' tool.
Kind regards,
Bert
[1] To the point that NSEC and NSEC3 are almost pointless in a
zone - a
nameserver will still have to treat NSEC and NSEC3 specially on
queries,
their presence in a zone file is barely helpful.
[2] If we disregard the repetition of the question record, this
set is
finite.
------------------------------
Message: 6
Date: Tue, 1 Mar 2011 16:43:25 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
To: Warren Kumari <warren at kumari.net>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone
verification
tool
Message-ID: <20110301154324.GA9413 at nic.fr>
Content-Type: text/plain; charset=us-ascii
On Tue, Mar 01, 2011 at 10:30:37AM -0500,
Warren Kumari <warren at kumari.net> wrote
a message of 53 lines which said:
> Does Donuts (https://www.dnssec-tools.org/wiki/index.php/Donuts (and
> related)) not fit all of these requirements? I haven't tried it with
> a huge zone,
It eats a lot of memory and I stopped it when it had 1.4 GB :-)
8705 bortzmey 20 0 1456m 1.2g 1028 D 6 61.0 1:09.72
donuts
------------------------------
Message: 7
Date: 01 Mar 2011 16:31:04 +0000
From: Chris Thompson <cet1 at cam.ac.uk>
To: Duane Wessels <dwessels at verisign.com>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Online DNSSEC debugging tool now
availalbe
Message-ID:
<Prayer.1.3.3.1103011631040.28865 at hermes-1.csi.cam.ac.uk>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
Duane,
I hope you are still receiving bug/infelicity reports on this
very useful checking utility.
>With todays conversion to a validatable root zone, I'm pleased to announce
>the availability of an online tool to assist in debugging DNSSEC issues:
>
>http://dnssec-debugger.verisignlabs.com
>
>Please give it a try if you have a chance. I'd be happy to receive your
>questions and feedback.
I have noticed that it gets confused about zone boundaries when a
parent and child zone are both served from the same
nameserver(s).
Thus when looking up (say) 111.131.in-addr.arpa, it will
(usually)
say that it can't find a DS record for "in-addr.arpa" in ".",
failing to realise that it should have been looking for one in
"arpa". If it chooses a root-server that is still serving
"in-addr.arpa" as well as "arpa", it may even say that it can't
find one for "131.in-addr.arpa" in ".", skipping two levels of
delegation.
More information about the dns-operations
mailing list