DNSSEC Readiness

Charles N Wyble charles at knownelement.com
Tue Feb 16 07:58:39 UTC 2010

Hash: SHA1

Mark Andrews wrote:
> In message <4B798F1E.6080403 at knownelement.com>, Charles N Wyble writes:
>> All,
>> How are folks verifying DNSSEC readiness of their environments? Any
>> existing testing methodologies / resources that folks are using?
>> It seems like this is something that will become a front and center
>> issue for help desks everywhere pretty quick. :) Ideally the more we can
>> stave off issues through proactive testing/fixing the better.
> Make the following queries from your recursive servers.  If you
> force the query source in the nameserver add a "-b <address>" to
> match.
> dig -4 ns . +norec @l.root-servers.net
> dig -4 ns . +dnssec +cd +norec @l.root-servers.net
> dig -4 any . +dnssec +cd +norec @l.root-servers.net
> dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc
> If any of them fail you need to fix your middleware and / or firewall
> on the box.
> The first +dnssec query checks that unfragmented DNSSEC responses
> over 512 bytes are passed.  I get 801 bytes today when I run this
> test.
> The second +dnssec query checks that fragmented DNSSEC responses are
> passed.  I get 1906 bytes today when I run this test.
> The third +dnsec query checks that DNSSEC responses over TCP are
> passed.
> The non +dnssec query is a control query to check that you can reach
> l.root-servers.net.
> Repeat for IPv6.
> dig -6 ns . +norec @l.root-servers.net
> dig -6 ns . +dnssec +cd +norec @l.root-servers.net
> dig -6 any . +dnssec +cd +norec @l.root-servers.net
> dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
> Mark

Thank you. That's a nice quick/dirty test.

All 4 commands worked.

If folks are curious, my setup is Ubuntu 9.10 client, Ubuntu 9.10 server
running bind and a cisco 1841 running 12.4(18). I don't have a Windows
box handy to test on. How would one test with nslookup anyway? Or does
it only matter if the local DNS server can do the lookup and clients
will just work? Though one would still need to test from Windows if you
have AD for DNS I suppose. *shrugs*

Ok.... that's the client side.

How about the server side?

I'm currently using my registrars DNS servers. I haven't seen anything
in their control panel about DNSSEC. One item on my TODO list is to move
DNS to my BIND servers.

Quick search turns up
http://www.howtoforge.com/debian_bind9_master_slave_system which
mentions a few commands and couple stanzas. Is that all it takes?
How do you verify that you are .... compliant? complete? I mean SSL
based PKI is pretty straightforward and I understand it and can verify
that I'm compliant/complete (run my own ca, issue certs, delegate trust
etc). Guess I need to do more reading on DNSSEC and how to integrate
into the global DNSSEC infrastructure (such as it is and will emerge to
be). I have a test domain that I use for things like this. I would like
to setup DNSSEC and then positively/negatively test it. Just not sure
how. Presumably one should attempt to MITM the request and make sure the
resolver complains yes?

This is at my home network and as such I have a great degree of
latitude.  For folks who have managers to report to, what are the
justifications for deploying DNSSEC?

I think one would do it in stages

1)Make sure their infrastructure can at least handle the DNS protocol
changes that DNSSEC brings about (ie the 4 test commands above pass)

2)Implement a parallel environment with and without DNSSEC (is this

3)Sign their records.

Anyway just some thoughts.

Thanks to folks who have responded so far.
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the NANOG mailing list