nanog mailing list archives
Re: DNSSEC Readiness
From: Mark Andrews <marka () isc org>
Date: Tue, 16 Feb 2010 11:16:20 +1100
In message <4B798F1E.6080403 () knownelement com>, Charles N Wyble writes:
All, How are folks verifying DNSSEC readiness of their environments? Any existing testing methodologies / resources that folks are using? It seems like this is something that will become a front and center issue for help desks everywhere pretty quick. :) Ideally the more we can stave off issues through proactive testing/fixing the better.
Make the following queries from your recursive servers. If you force the query source in the nameserver add a "-b <address>" to match. dig -4 ns . +norec @l.root-servers.net dig -4 ns . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net dig -4 any . +dnssec +cd +norec @l.root-servers.net +vc If any of them fail you need to fix your middleware and / or firewall on the box. The first +dnssec query checks that unfragmented DNSSEC responses over 512 bytes are passed. I get 801 bytes today when I run this test. The second +dnssec query checks that fragmented DNSSEC responses are passed. I get 1906 bytes today when I run this test. The third +dnsec query checks that DNSSEC responses over TCP are passed. The non +dnssec query is a control query to check that you can reach l.root-servers.net. Repeat for IPv6. dig -6 ns . +norec @l.root-servers.net dig -6 ns . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net dig -6 any . +dnssec +cd +norec @l.root-servers.net +vc Mark
- -- Charles N Wyble Linux Systems Engineer charles () knownelement com (818)280-7059 http://www.knownelement.com Unless agreed upon, assume everything in this e-mail might be blogged. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkt5jxoACgkQJmrRtQ6zKE94eQCghyDn96HG2g7G1MDogj/yy1WB GFQAn22n3a48Mt9ssiwfyqN1Ne0N+X6L =Xt79 -----END PGP SIGNATURE-----
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Tony Finch (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Curtis Maurand (Feb 16)
- Re: DNSSEC Readiness Mark Andrews (Feb 16)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Tony Finch (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Amar (Feb 15)
- Re: DNSSEC Readiness Florian Weimer (Feb 15)
- Re: DNSSEC Readiness Mark Andrews (Feb 15)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)
- Re: DNSSEC Readiness Mark Andrews (Feb 16)
- Re: DNSSEC Readiness Charles N Wyble (Feb 15)