[dns-operations] [DNSSEC] Looking for a zone verification tool

David Blacka davidb at verisign.com
Tue Mar 1 21:03:03 UTC 2011

On Mar 1, 2011, at 3:50 PM, Stephane Bortzmeyer wrote:

> On Tue, Mar 01, 2011 at 02:12:45PM -0500,
> David Blacka <davidb at verisign.com> wrote 
> a message of 44 lines which said:
>> Do you have requirements for what sorts of DNSSEC errors that the
>> tool can discover?  Just bad/expired signatures? malformation of the
>> NSEC3 chain?  Missing signatures?  
> Also invalid NSEC* with respect to the actual RRtypes present (the
> TYPE65534 BIND bug), something which is already tested by the tools I
> mentioned.
>> Policy violations?
> It would be nice to have but, unlike all the other errors you mention,
> this one cannot be discovered by checking the zone alone, you need a
> language to express policies and someone to write the policy. So, I
> would be happy to postpone it to version 2.0 of the tool :-)
> In the end, I agree with Wolfgang Nagele: my concern is anything which
> can make the zone invalid for a validating resolver so we have to test
> everything which may lead to a SERVFAIL.

In the latest version of jdnssec-tools (0.10.x), I think I describe this as:

1. All RRSIGs cryptographically validate
2. All RRSIGs are time-valid (i.e., current time is after inception, before expire)
3. All RRsets that should be signed are signed.
4. All NSEC or NSEC3 records that should exist do exist
5. All NSEC/NSEC3 records that do exist have the correct typemap.
6. The NSEC/NSEC3 chain is correctly linked (i.e., lowest order owner first, with next always pointing to the next lowest order owner, with the highest order owner linking to the lowest order owner.)

Another thing that I think I check for is

7. No NSEC/NSEC3 records that shouldn't exist do exist.

I.e., no NSEC/NSEC3 records for names that do not exist or that would be opt-out.  This wouldn't cause validation failures, however, so perhaps is more of a policy enforcement rather than strict correctness check.

Another thing to check for (which I don't think my tool actually does yet):

8. All algorithms present in the apex DNSKEY RRset are present in the RRSIGs for every signed RRset.

This is a correctness check, although failing this check may or may not lead to actual validation failures, depending on what algorithms the validators support.

David Blacka                          <davidb at verisign.com> 
Principal Engineer    Verisign Platform Product Development

More information about the dns-operations mailing list