[dns-operations] Verifying that a recursor is performing DNSSec validation

Anand Buddhdev anandb at ripe.net
Fri Jul 17 08:14:16 UTC 2015

On 17/07/15 07:51, Frank Bulk wrote:

> I've completed writing the first iteration of a NAGIOS-oriented Perl script
> that does the checks I've described.  It was actually more painful to get
> the Net:DNS:DNSsec Perl module installed than anything else.

I haven't seen your script, of course, so I can't know the specifics,
but may I suggest the following logic?

1. First send a query to the resolver with CD=1. This tells the resolver
you don't want it to do validation. This will catch the case where a
zone doesn't resolve for other reasons (unreachable name servers,
expired, etc).

2. If you get back a good result, then repeat the query with CD=0. If
you still get back an answer, and AD is set, then you know you have a
good dnssec-signed zone. If you get an answer, but AD is not set, then
the zone doesn't have a chain of trust (but could still be signed). If
it SERVFAILs this time, you can conclude that the zone is signed, but
validation has failed.

Of course this logic is simple, and doesn't get anywhere close to the
likes of Casey Deccio's DSNViz or Verisign's DNSSEC debugger, but it's
good enough for a Nagios check.


More information about the dns-operations mailing list