[dns-operations] Explaining DNSSEC issues

Casey Deccio casey at deccio.net
Tue Oct 14 17:06:14 UTC 2014


Hi Franck,

On Tue, Oct 14, 2014 at 2:39 AM, Franck Martin <fmartin at linkedin.com> wrote:

> I found this tool quite good to report the most common DNSSEC issues. It
> looks at SOA, A, AAAA, and MX records of a zone and is visually nearly
> intuitive.
>
> http://dnsviz.net/d/dns-oarc.net/dnssec/
>
>
Thanks!  If you have suggestions to make it more intuitive, please feel
free to pass them along.


> The type of errors I see are like:
> http://dnsviz.net/d/eucom.mil/dnssec/
>
> Where an important record is not signed
>

The legend on the site is a little out of date, leaving some uncertainty
about some of the conventions used.  I'll clarify that in this particular
case the issue isn't the lack of signatures, but a signature that doesn't
validate the resource record set cryptographically (One possible cause for
this is that the SOA record was updated manually after the record was
signed).

Or like:
> http://dnsviz.net/d/au/dnssec/
>
>
While the lack of DS records is intentional, as you noted, the insecure
delegation from the root to au also isn't an error--as long as the
NSEC/NSEC3 records properly prove the non-existence of DS.  That proof is
represented by the arrow from the NSEC3 node in the root to the .au box,
and its teal color indicates that the proof is valid.  This is the case
with any unsigned zone whose parent is signed.

Cheers,
Casey


> Where the delegation is not set (DS). For dot au, it is on purpose so
> testing can occur before going live by the end of this month:
> http://www.auda.org.au/industry-information/au-domains/dnssec/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141014/31665642/attachment.html>


More information about the dns-operations mailing list