[124324] in North American Network Operators' Group
Re: DNSSEC deployment testing and awareness
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Mar 30 15:30:07 2010
From: Florian Weimer <fw@deneb.enyo.de>
To: Phil Regnauld <regnauld@nsrc.org>
Date: Tue, 30 Mar 2010 21:29:22 +0200
In-Reply-To: <20100330095226.GE24147@macbook.catpipe.net> (Phil Regnauld's
message of "Tue, 30 Mar 2010 11:52:27 +0200")
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
* Phil Regnauld:
> Fair enough. Some simple "check your DNS reply size test
> [what is this ?]" page ought to be set up, with a simple
> explanagtion. "checkmydns.org" is available. If I get 5
> minutes... :)
Reply sizes are a red herring. You need something that looks at the
result of ./IN/DNSKEY, ./IN/RRSIG, ./IN/NSEC. At least one of these
queries should return data, some of the time. (Unfortunately, the
test is probabilistic.)
Then you know that your resolver can receive data from the signed root
and will not cease to work when all the roots serve the signed zone.
Other tests can't tell you that.
If your resolver is DNSSEC-aware, you can force cache misses by using
random query names with a non-existing TLD. This variant of the test
is much easier to carry out.
