nanog mailing list archives
Re: DNSSEC Readiness
From: Florian Weimer <fw () deneb enyo de>
Date: Mon, 15 Feb 2010 20:04:41 +0100
* Charles N. Wyble:
How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1) dig @192.0.2.1 $RANDOM. +dnssec and checking if a certain percentage of the responses include DNSSEC data. This means that your resolver can get data from DURZ-enabled servers, so you should be fine when the root is signed. If your resolvers are not security-aware, use dig @192.0.2.1 . NSEC dig @192.0.2.1 . RRSIG dig @192.0.2.1 . DNSKEY but you can run this variant of the test only once per day. If you never, ever get any DNSSEC data for these queries, you will very likely have a problem once all root servers have switched to serving DURZ (and later DNSSEC) data.
It seems like this is something that will become a front and center issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider switches to HTTPS by default (or back to HTTP)?
Current thread:
- DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Tony Finch (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Curtis Maurand (Feb 16)
- Re: DNSSEC Readiness Mark Andrews (Feb 16)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Tony Finch (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Amar (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Mark Andrews (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Mark Andrews (Feb 16)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)