[dns-operations] Verifying that a recursor is performing DNSSec validation
Jared Mauch
jared at puck.nether.net
Tue Jul 21 13:42:02 UTC 2015
I have plans for a browser based test suite
similar to test-ipv6.com for this. I have a host, domains, IPs but
am missing time to complete the testing.
If you are interested in collaboration please contact
me off-list.
- Jared
On Tue, Jul 21, 2015 at 08:21:16AM -0500, Frank Bulk wrote:
> Thanks. I found three on the Internet that are set up that way:
> sigfail.verteiltesysteme.net
> www.dnssec-failed.org
> rhybar.cz
> I'm using those in my script (randomly) for checking for that failure case.
>
> Frank
>
> -----Original Message-----
> From: Livingood, Jason [mailto:Jason_Livingood at cable.comcast.com]
> Sent: Tuesday, July 21, 2015 3:33 AM
> To: Frank Bulk <frnkblk at iname.com>; dns-operations at dns-oarc.net
> Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
> validation
>
> And for one that is always deliberately broken, for testing:
> www.dnssec-failed.org
>
> On 7/20/15, 10:13 PM, "Frank Bulk" <frnkblk at iname.com> wrote:
>
> >Does anyone have an zone that will always remain unsigned?
> >verteiltesysteme.net is going to make one, but if there was a second
> >organization that could provide a zone that will never be signed, that
> >would
> >be great as a control.
> >
> >Frank
> >
> >-----Original Message-----
> >From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
> >Behalf
> >Of Frank Bulk
> >Sent: Friday, July 17, 2015 12:51 AM
> >To: dns-operations at dns-oarc.net
> >Subject: Re: [dns-operations] Verifying that a recursor is performing
> >DNSSec
> >validation
> >
> >I've completed writing the first iteration of a NAGIOS-oriented Perl
> >script
> >that does the checks I've described. It was actually more painful to get
> >the Net:DNS:DNSsec Perl module installed than anything else.
> >
> >We'll see how this works out in our environment.
> >
> >Frank
> >
> >-----Original Message-----
> >From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
> >Behalf
> >Of Frank Bulk
> >Sent: Tuesday, July 14, 2015 12:08 AM
> >To: dns-operations at dns-oarc.net
> >Subject: [dns-operations] Verifying that a recursor is performing DNSSec
> >validation
> >
> >Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
> >check against a resolver that it gets an AD back on DNSSec query for a
> >zone
> >that is properly signed, failure for one that is not properly signed, and
> >nothing for one that isn't signed?
> >http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
> >
> >I'd rather not re-invent the wheel if it already exists.
> >
> >Regards,
> >
> >Frank Bulk
> >
> >
> >_______________________________________________
> >dns-operations mailing list
> >dns-operations at lists.dns-oarc.net
> >https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >dns-jobs mailing list
> >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
> >
> >_______________________________________________
> >dns-operations mailing list
> >dns-operations at lists.dns-oarc.net
> >https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >dns-jobs mailing list
> >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
> >
> >_______________________________________________
> >dns-operations mailing list
> >dns-operations at lists.dns-oarc.net
> >https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >dns-jobs mailing list
> >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> >
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the dns-operations
mailing list