-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Andrews wrote:
In message <4B798F1E.6080403@knownelement.com>, Charles N Wyble writes:
All,
How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using?
It seems like this is something that will become a front and center issue for help desks everywhere pretty quick. :) Ideally the more we can stave off issues through proactive testing/fixing the better.
Make the following queries from your recursive servers. If you force the query source in the nameserver add a "-b <address>" to match.
dig -4 ns . +norec @l.root-servers.net dig -4 ns . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc
If any of them fail you need to fix your middleware and / or firewall on the box.
The first +dnssec query checks that unfragmented DNSSEC responses over 512 bytes are passed. I get 801 bytes today when I run this test.
The second +dnssec query checks that fragmented DNSSEC responses are passed. I get 1906 bytes today when I run this test.
The third +dnsec query checks that DNSSEC responses over TCP are passed.
The non +dnssec query is a control query to check that you can reach l.root-servers.net.
Repeat for IPv6.
dig -6 ns . +norec @l.root-servers.net dig -6 ns . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc
Mark
Thank you. That's a nice quick/dirty test. All 4 commands worked. If folks are curious, my setup is Ubuntu 9.10 client, Ubuntu 9.10 server running bind and a cisco 1841 running 12.4(18). I don't have a Windows box handy to test on. How would one test with nslookup anyway? Or does it only matter if the local DNS server can do the lookup and clients will just work? Though one would still need to test from Windows if you have AD for DNS I suppose. *shrugs* Ok.... that's the client side. How about the server side? I'm currently using my registrars DNS servers. I haven't seen anything in their control panel about DNSSEC. One item on my TODO list is to move DNS to my BIND servers. Quick search turns up http://www.howtoforge.com/debian_bind9_master_slave_system which mentions a few commands and couple stanzas. Is that all it takes? How do you verify that you are .... compliant? complete? I mean SSL based PKI is pretty straightforward and I understand it and can verify that I'm compliant/complete (run my own ca, issue certs, delegate trust etc). Guess I need to do more reading on DNSSEC and how to integrate into the global DNSSEC infrastructure (such as it is and will emerge to be). I have a test domain that I use for things like this. I would like to setup DNSSEC and then positively/negatively test it. Just not sure how. Presumably one should attempt to MITM the request and make sure the resolver complains yes? This is at my home network and as such I have a great degree of latitude. For folks who have managers to report to, what are the justifications for deploying DNSSEC? I think one would do it in stages 1)Make sure their infrastructure can at least handle the DNS protocol changes that DNSSEC brings about (ie the 4 test commands above pass) 2)Implement a parallel environment with and without DNSSEC (is this possible/desirable?) 3)Sign their records. Anyway just some thoughts. Thanks to folks who have responded so far. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt6UCoACgkQJmrRtQ6zKE/bAACgtNtqptEN0X1deA+gbr+HilOx OJ0AoKyLc6soMTi4aKQI4u6HUTWxr7tt =r7yW -----END PGP SIGNATURE-----