[dns-operations] dns-operations Digest, Vol 62, Issue 1; DNSSEC Zone Verification Tool

Fred Hill fred.hill at datamtnsol.com
Tue Mar 1 18:17:52 UTC 2011


We provide a free DNSSEC zone verification tool at the link 
below:

http://www.dnssecreport.com/DNSSECReport/index.aspx

Regards,

-- 
Fred Hill
President
Data Mountain Solutions, Inc.
(301) 529-2039
www.datamtn.com

Hello dns-operations-request at lists.dns-oarc.net,


Send dns-operations mailing list submissions to
	dns-operations at lists.dns-oarc.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.dns-oarc.net/mailman/listinfo/dns-operations
or, via email, send a message with subject or body 'help' to
	dns-operations-request at lists.dns-oarc.net

You can reach the person managing the list at
	dns-operations-owner at lists.dns-oarc.net

When replying, please edit your Subject line so it is more 
specific
than "Re: Contents of dns-operations digest..."


Today's Topics:

   1. [DNSSEC] Looking for a zone verification tool
      (Stephane Bortzmeyer)
   2. Re: .com DNSSEC operational message (Matt Larson)
   3. Re: [DNSSEC] Looking for a zone verification tool (Miek 
Gieben)
   4. Re: [DNSSEC] Looking for a zone verification tool (Warren 
Kumari)
   5. Re: [DNSSEC] Looking for a zone verification tool (bert 
hubert)
   6. Re: [DNSSEC] Looking for a zone verification tool
      (Stephane Bortzmeyer)
   7. Re: Online DNSSEC debugging tool now availalbe (Chris 
Thompson)
   8. Re: [DNSSEC] Looking for a zone verification tool
      (Wolfgang Nagele)
   9. Re: Online DNSSEC debugging tool now availalbe (Wessels, 
Duane)


----------------------------------------------------------------------

Message: 1
Date: Tue, 1 Mar 2011 16:01:06 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
To: dns-operations at mail.dns-oarc.net
Subject: [dns-operations] [DNSSEC] Looking for a zone 
verification
	tool
Message-ID: <20110301150106.GA28501 at nic.fr>
Content-Type: text/plain; charset=iso-8859-1

Following two serious DNSSEC incidents (see
<http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html>,
a longer report will be delivered by Vincent Levigneron at the 
OARC
workshop in San Francisco
<https://www.dns-oarc.net/oarc/workshop-201103>), I am looking 
for a
zone validation tool, able to take a signed zone in RFC 1035 
format
and tests that it is consistent. More specific requirments are:

1) runs on Unix
2) Free software (as in free speech, not as in free beer)
3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
4) allows for delegation zones of > 1 Mdomains, with at least 
30?% of
them signed

With these requirments, I tested:

* BIND named-checkzone: it does not seem to have any DNSSEC
support. Fails requirment 3

* Verisign <http://www.verisignlabs.com/dnssec-tools/>: works 
fine on
a test zone that I rendered deliberately invalid, but crashes 
on .FR
with an out-of-memory error. Fails requirment 4

* OpenDNSSEC Auditor: off-topic because it does not test the 
zone in
itself but its compliance to the local policy. Anyway, it runs 
forever
with .FR. Fails requirment 4

* ldns ldns-verify-zone: works fine on a test zone that I 
rendered
deliberately invalid. Seems to run forever on .FR (which is 
signed
with opt-out so has only 40 signatures). Twenty minutes of 
Intel Core
2 CPU and still running. Fails requirment 4

Currently, I tend towards writing a new program in C, better
optimized, with the ldns library
<http://www.nlnetlabs.nl/projects/ldns/>. Advices?


------------------------------

Message: 2
Date: Tue, 1 Mar 2011 10:03:17 -0500
From: Matt Larson <mlarson at verisign.com>
To: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] .com DNSSEC operational message
Message-ID: <20110301150316.GD90622 at DUL1MLARSON-M2.labs.vrsn.com>
Content-Type: text/plain; charset=us-ascii

On Fri, 28 Jan 2011, Matt Larson wrote:
> The .com DNSSEC deployment consists of the following major milestones:
> [...]
> February 28, 2011: A deliberately unvalidatable .com zone will be
> published.  Any DS records for .com that have been submitted by
> registrars will be published in the deliberately unvalidatable zone.

FYI, the deliberately unvalidable .com zone started its rollout
yesterday on schedule:

$ dig +short @m.gtld-servers.net dnskey com
257 3 8 
AwEAAa9Lp++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU 
LD/NOT/BE/USED/CONTACT/INFO/AT/VERISIGN+GRS/DOT/COM+++++ 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
++++++++++8=
256 3 8 
AwEAAa2CM++++++++++++++++THIS/IS/AN/INVALID/KEY/AND/SHOU 
LD/NOT/BE/USED/CONTACT/INFO/AT/VERISIGN+GRS/DOT/COM+++++ 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++8

(Note that some .com/.net servers are anycast, so the version of
m.gtld-servers.net that you see might not have the signed and 
blinded
zone yet.)

Matt


------------------------------

Message: 3
Date: Tue, 1 Mar 2011 16:26:22 +0100
From: Miek Gieben <miek.gieben at sidn.nl>
To: <dns-operations at lists.dns-oarc.net>
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone 
verification
	tool
Message-ID: <20110301152622.GF3128 at login.sidn.nl>
Content-Type: text/plain; charset="us-ascii"

[ Quoting Stephane Bortzmeyer in "[dns-operations] [DNSSEC] 
Looking f"... ]
> With these requirments, I tested:
> 
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
> 
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
> 
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
> 
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
> 
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?

I would very much like to work with you to see if we can get
ldns-verify-zone up to par for the .fr zone.

grtz,

--
 Miek Gieben
 Technical Advisor SIDN


------------------------------

Message: 4
Date: Tue, 1 Mar 2011 10:30:37 -0500
From: Warren Kumari <warren at kumari.net>
To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone 
verification
	tool
Message-ID: <B3F6AB81-D097-4153-87AD-B9A471E0B2A8 at kumari.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; 
delsp=yes

Does Donuts (https://www.dnssec-tools.org/wiki/index.php/Donuts 
(and  
related)) not fit all of these requirements? I haven't tried it 
with a  
huge zone, but I think it might be happy...

W
On Mar 1, 2011, at 10:01 AM, Stephane Bortzmeyer wrote:

> Following two serious DNSSEC incidents (see
> <http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html 
> >,
> a longer report will be delivered by Vincent Levigneron at the OARC
> workshop in San Francisco
> <https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
> zone validation tool, able to take a signed zone in RFC 1035 format
> and tests that it is consistent. More specific requirments are:
>
> 1) runs on Unix
> 2) Free software (as in free speech, not as in free beer)
> 3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
> 4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
> them signed
>
> With these requirments, I tested:
>
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
>
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
>
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
>
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
>
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>

--
Hope is not a strategy.
       --  Ben Treynor, Google




------------------------------

Message: 5
Date: Tue, 1 Mar 2011 16:38:46 +0100
From: bert hubert <bert.hubert at netherlabs.nl>
To: Stephane Bortzmeyer <bortzmeyer at nic.fr>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone 
verification
	tool
Message-ID: <20110301153846.GC3488 at xs.powerdns.com>
Content-Type: text/plain; charset=us-ascii

On Tue, Mar 01, 2011 at 04:01:06PM +0100, Stephane Bortzmeyer 
wrote:
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?

Hi Stephane,

I too am pondering doing more stringent DNSSEC testing, the aim 
is to get a
'hostile' tool that will do its utmost to find problems in the 
serving of a
DNSSEC zone.

Note that I'd love to include the actual *serving* of a zone in 
the process.

If we look at a DNSSEC signed zone, the RRSIG records are quite 
simple to
validate from the zone itself, but the NSEC and NSEC3 records 
require
substantial work by the authoritative server [1].

So I was aiming for a tool that would take the unsigned zone as 
its input,
calculates the set of queries that deliver all possible 
responses [2], and
asks & checks all of them.

This in effect means asking all questions that are before the 
apex of a
zone, within all records of a zone, and after the last record 
of a zone in
cannonical ordering (for NSEC).

For NSEC3 it entails all questions before, between and after 
the calculated
hashes.

It also means asking questions for all 2^16 RRTYPEs per record 
present.

Delegations further complicate the picture.

In short, it is a lot of questions, so I decided not to write 
this actual
tool right now.

However, if you do go through the effort, I would ask you to 
consider going
for 'complete validation' by including not just the zone but 
also the
authoritative server. 

In addition, I hope (& trust ;-)) that you will go for a 
'hostile' tool.

Kind regards,

Bert

[1] To the point that NSEC and NSEC3 are almost pointless in a 
zone - a
nameserver will still have to treat NSEC and NSEC3 specially on 
queries,
their presence in a zone file is barely helpful.

[2] If we disregard the repetition of the question record, this 
set is
finite.


------------------------------

Message: 6
Date: Tue, 1 Mar 2011 16:43:25 +0100
From: Stephane Bortzmeyer <bortzmeyer at nic.fr>
To: Warren Kumari <warren at kumari.net>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] [DNSSEC] Looking for a zone 
verification
	tool
Message-ID: <20110301154324.GA9413 at nic.fr>
Content-Type: text/plain; charset=us-ascii

On Tue, Mar 01, 2011 at 10:30:37AM -0500,
 Warren Kumari <warren at kumari.net> wrote 
 a message of 53 lines which said:

> Does Donuts (https://www.dnssec-tools.org/wiki/index.php/Donuts (and
> related)) not fit all of these requirements? I haven't tried it with
> a huge zone,

It eats a lot of memory and I stopped it when it had 1.4 GB :-)

8705 bortzmey  20   0 1456m 1.2g 1028 D    6 61.0   1:09.72 
donuts   


------------------------------

Message: 7
Date: 01 Mar 2011 16:31:04 +0000
From: Chris Thompson <cet1 at cam.ac.uk>
To: Duane Wessels <dwessels at verisign.com>
Cc: dns-operations at mail.dns-oarc.net
Subject: Re: [dns-operations] Online DNSSEC debugging tool now
	availalbe
Message-ID: 
<Prayer.1.3.3.1103011631040.28865 at hermes-1.csi.cam.ac.uk>
Content-Type: text/plain; format=flowed; charset=ISO-8859-1

Duane,

I hope you are still receiving bug/infelicity reports on this
very useful checking utility.

>With todays conversion to a validatable root zone, I'm pleased to announce
>the availability of an online tool to assist in debugging DNSSEC issues:
>
>http://dnssec-debugger.verisignlabs.com
>
>Please give it a try if you have a chance.  I'd be happy to receive your
>questions and feedback.

I have noticed that it gets confused about zone boundaries when a
parent and child zone are both served from the same 
nameserver(s).
Thus when looking up (say) 111.131.in-addr.arpa, it will 
(usually)
say that it can't find a DS record for "in-addr.arpa" in ".",
failing to realise that it should have been looking for one in
"arpa". If it chooses a root-server that is still serving
"in-addr.arpa" as well as "arpa", it may even say that it can't
find one for "131.in-addr.arpa" in ".", skipping two levels of
delegation.





More information about the dns-operations mailing list