In message <4B798F1E.6080403@knownelement.com>, Charles N Wyble writes:
All,
How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center issue for help desks everywhere pretty quick. :) Ideally the more we can stave off issues through proactive testing/fixing the better.
Make the following queries from your recursive servers. If you force the query source in the nameserver add a "-b <address>" to match. dig -4 ns . +norec @l.root-servers.net dig -4 ns . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc If any of them fail you need to fix your middleware and / or firewall on the box. The first +dnssec query checks that unfragmented DNSSEC responses over 512 bytes are passed. I get 801 bytes today when I run this test. The second +dnssec query checks that fragmented DNSSEC responses are passed. I get 1906 bytes today when I run this test. The third +dnsec query checks that DNSSEC responses over TCP are passed. The non +dnssec query is a control query to check that you can reach l.root-servers.net. Repeat for IPv6. dig -6 ns . +norec @l.root-servers.net dig -6 ns . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc Mark
- -- Charles N Wyble Linux Systems Engineer charles@knownelement.com (818)280-7059 http://www.knownelement.com Unless agreed upon, assume everything in this e-mail might be blogged. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkt5jxoACgkQJmrRtQ6zKE94eQCghyDn96HG2g7G1MDogj/yy1WB GFQAn22n3a48Mt9ssiwfyqN1Ne0N+X6L =Xt79 -----END PGP SIGNATURE-----
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org