[dns-operations] Verifying that a recursor is performing DNSSec validation

Frank Bulk frnkblk at iname.com
Tue Jul 21 13:21:16 UTC 2015


Thanks.  I found three on the Internet that are set up that way:
 sigfail.verteiltesysteme.net
 www.dnssec-failed.org
 rhybar.cz
I'm using those in my script (randomly) for checking for that failure case.

Frank

-----Original Message-----
From: Livingood, Jason [mailto:Jason_Livingood at cable.comcast.com] 
Sent: Tuesday, July 21, 2015 3:33 AM
To: Frank Bulk <frnkblk at iname.com>; dns-operations at dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation

And for one that is always deliberately broken, for testing:
www.dnssec-failed.org

On 7/20/15, 10:13 PM, "Frank Bulk" <frnkblk at iname.com> wrote:

>Does anyone have an zone that will always remain unsigned?
>verteiltesysteme.net is going to make one, but if there was a second
>organization that could provide a zone that will never be signed, that
>would
>be great as a control.
>
>Frank
>
>-----Original Message-----
>From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>Behalf
>Of Frank Bulk
>Sent: Friday, July 17, 2015 12:51 AM
>To: dns-operations at dns-oarc.net
>Subject: Re: [dns-operations] Verifying that a recursor is performing
>DNSSec
>validation
>
>I've completed writing the first iteration of a NAGIOS-oriented Perl
>script
>that does the checks I've described.  It was actually more painful to get
>the Net:DNS:DNSsec Perl module installed than anything else.
>
>We'll see how this works out in our environment.
>
>Frank
>
>-----Original Message-----
>From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>Behalf
>Of Frank Bulk
>Sent: Tuesday, July 14, 2015 12:08 AM
>To: dns-operations at dns-oarc.net
>Subject: [dns-operations] Verifying that a recursor is performing DNSSec
>validation
>
>Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
>check against a resolver that it gets an AD back on DNSSec query for a
>zone
>that is properly signed, failure for one that is not properly signed, and
>nothing for one that isn't signed?
>http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
>
>I'd rather not re-invent the wheel if it already exists.
>
>Regards,
>
>Frank Bulk
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>






More information about the dns-operations mailing list