[122494] in North American Network Operators' Group
Re: DNSSEC Readiness
daemon@ATHENA.MIT.EDU (Florian Weimer)
Mon Feb 15 14:05:16 2010
From: Florian Weimer <fw@deneb.enyo.de>
To: Charles N Wyble <charles@knownelement.com>
Date: Mon, 15 Feb 2010 20:04:41 +0100
In-Reply-To: <4B798F1E.6080403@knownelement.com> (Charles N. Wyble's message
of "Mon, 15 Feb 2010 10:14:54 -0800")
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Charles N. Wyble:
> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1)
dig @192.0.2.1 $RANDOM. +dnssec
and checking if a certain percentage of the responses include DNSSEC
data. This means that your resolver can get data from DURZ-enabled
servers, so you should be fine when the root is signed.
If your resolvers are not security-aware, use
dig @192.0.2.1 . NSEC
dig @192.0.2.1 . RRSIG
dig @192.0.2.1 . DNSKEY
but you can run this variant of the test only once per day.
If you never, ever get any DNSSEC data for these queries, you will
very likely have a problem once all root servers have switched to
serving DURZ (and later DNSSEC) data.
> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider
switches to HTTPS by default (or back to HTTP)?
