DNSSEC Readiness

Florian Weimer fw at deneb.enyo.de
Mon Feb 15 19:04:41 UTC 2010

* Charles N. Wyble:

> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?

For now, running (with a real resolver address instead of

  dig @ $RANDOM. +dnssec

and checking if a certain percentage of the responses include DNSSEC
data.  This means that your resolver can get data from DURZ-enabled
servers, so you should be fine when the root is signed.

If your resolvers are not security-aware, use 

  dig @ . NSEC
  dig @ . RRSIG
  dig @ . DNSKEY

but you can run this variant of the test only once per day.

If you never, ever get any DNSSEC data for these queries, you will
very likely have a problem once all root servers have switched to
serving DURZ (and later DNSSEC) data.

> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :)

Why do you think so? Would you even notice if your webmail provider
switches to HTTPS by default (or back to HTTP)?

More information about the NANOG mailing list