[dns-operations] Verifying that a recursor is performing DNSSec validation

frnkblk at iname.com frnkblk at iname.com
Fri Jul 17 21:47:22 UTC 2015


Thanks, those are some good suggestions.

I don't think this will turn out into DNSViz or Verisign's DNSsec debugger, and it's my intention that this NAGIOS check primarily is to verify that the DNS resolver is configured for DNSsec validation, not to verify that any one zone is healthy or functioning.  As Edward Lewis mentioned in an earlier posting, the ideal situation is to use good and canary zones under ones' own control.  We don't want a NAGIOS check to fail because a zone used for testing isn't working as expected (and the fault is the zone, not the resolver).  For that reason, I will be using several good and canary zones to test for DNSsec validation.


-----Original Message-----
From: Anand Buddhdev [mailto:anandb at ripe.net] 
Sent: Friday, July 17, 2015 3:14 AM
To: Frank Bulk; dns-operations at dns-oarc.net
Subject: Re: Verifying that a recursor is performing DNSSec validation

On 17/07/15 07:51, Frank Bulk wrote:

> I've completed writing the first iteration of a NAGIOS-oriented Perl script
> that does the checks I've described.  It was actually more painful to get
> the Net:DNS:DNSsec Perl module installed than anything else.

I haven't seen your script, of course, so I can't know the specifics,
but may I suggest the following logic?

1. First send a query to the resolver with CD=1. This tells the resolver
you don't want it to do validation. This will catch the case where a
zone doesn't resolve for other reasons (unreachable name servers,
expired, etc).

2. If you get back a good result, then repeat the query with CD=0. If
you still get back an answer, and AD is set, then you know you have a
good dnssec-signed zone. If you get an answer, but AD is not set, then
the zone doesn't have a chain of trust (but could still be signed). If
it SERVFAILs this time, you can conclude that the zone is signed, but
validation has failed.

Of course this logic is simple, and doesn't get anywhere close to the
likes of Casey Deccio's DSNViz or Verisign's DNSSEC debugger, but it's
good enough for a Nagios check.


More information about the dns-operations mailing list