DNSSEC Readiness
Florian Weimer
fw at deneb.enyo.de
Mon Feb 15 19:04:41 UTC 2010
* Charles N. Wyble:
> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1)
dig @192.0.2.1 $RANDOM. +dnssec
and checking if a certain percentage of the responses include DNSSEC
data. This means that your resolver can get data from DURZ-enabled
servers, so you should be fine when the root is signed.
If your resolvers are not security-aware, use
dig @192.0.2.1 . NSEC
dig @192.0.2.1 . RRSIG
dig @192.0.2.1 . DNSKEY
but you can run this variant of the test only once per day.
If you never, ever get any DNSSEC data for these queries, you will
very likely have a problem once all root servers have switched to
serving DURZ (and later DNSSEC) data.
> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider
switches to HTTPS by default (or back to HTTP)?
More information about the NANOG
mailing list