DNSSEC deployment testing and awareness

Florian Weimer fw at deneb.enyo.de
Tue Mar 30 19:29:22 UTC 2010


* Phil Regnauld:

> 	Fair enough.  Some simple "check your DNS reply size test
> 	[what is this ?]"  page ought to be set up, with a simple
> 	explanagtion.  "checkmydns.org" is available.  If I get 5
> 	minutes... :)

Reply sizes are a red herring.  You need something that looks at the
result of ./IN/DNSKEY, ./IN/RRSIG, ./IN/NSEC.  At least one of these
queries should return data, some of the time.  (Unfortunately, the
test is probabilistic.)

Then you know that your resolver can receive data from the signed root
and will not cease to work when all the roots serve the signed zone.
Other tests can't tell you that.

If your resolver is DNSSEC-aware, you can force cache misses by using
random query names with a non-existing TLD.  This variant of the test
is much easier to carry out.




More information about the NANOG mailing list