DNSSEC Readiness

Florian Weimer fw at deneb.enyo.de
Mon Feb 15 13:04:41 CST 2010


* Charles N. Wyble:

> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?

For now, running (with a real resolver address instead of 192.0.2.1)

  dig @192.0.2.1 $RANDOM. +dnssec

and checking if a certain percentage of the responses include DNSSEC
data.  This means that your resolver can get data from DURZ-enabled
servers, so you should be fine when the root is signed.

If your resolvers are not security-aware, use 

  dig @192.0.2.1 . NSEC
  dig @192.0.2.1 . RRSIG
  dig @192.0.2.1 . DNSKEY

but you can run this variant of the test only once per day.

If you never, ever get any DNSSEC data for these queries, you will
very likely have a problem once all root servers have switched to
serving DURZ (and later DNSSEC) data.

> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :)

Why do you think so? Would you even notice if your webmail provider
switches to HTTPS by default (or back to HTTP)?




More information about the NANOG mailing list