I got asked, off-line, by a couple of people if ICANN had any tools for testing for DNSSEC. There are so I went in, dug them out and tried them. The question, by the way, was prompted by the news that the DNSSEC Key Signing Key rollover will take place on or about October 11 – this has been delayed twice. Now. To get to the DNSSEC tests, you can go to: https://www.icann.org/resources/pages//tools-2012-02-25-en This will bring up a list of four tests: - a DNS Visualization test - a “DNS Check” - a DNSSEC Analyzer - an SIDN DNSSEC Test All but the last take a domain as an argument (entered in a text window on the page). The last one performs the test to where you're connected. I recommend you try each one to see which is right for you. Read the results carefully, though. The “DNS Check” Seems to think it's OK if DNSSEC is not there for the zone, as long as everything else is fine. The last one gives you a link to a more comprehensive test at: http://en.conn.internet.nl/connection/ That test covers things like IPV6 connectivity as well as DNSSEC. Cheers, Gordon
On Tue, 28 Aug 2018 15:02:45 -0400 Gordon Chillcott via talk <talk@gtalug.org> wrote:
I got asked, off-line, by a couple of people if ICANN had any tools for testing for DNSSEC. There are so I went in, dug them out and tried them. The question, by the way, was prompted by the news that the DNSSEC Key Signing Key rollover will take place on or about October 11 – this has been delayed twice.
i use dig (& scripts) - and yeah, October 11 - could still change, again. it does not matter though as the present keys are valid past that... just have to add that I am very much anti 'walled gardens' - so am a proud dnssec fanboy :) Andre
Thanks, Gord! The one thing of interest that I noted in the "DNS Check" (https://zonemaster.iis.se) for GTALUG.org was that our DNS hosting via Gandi has perhaps insufficient diversity. To wit, there are several warnings similar to "All nameservers in the delegation have IPv4 addresses in the same AS (29169)." I don't think we'd win much by adding an extra delegation separate from Gandi (e.g. - adding an extra nameserver elsewhere) in practice, given that we only have one server anyways. That would likely require we publish our DNS information in a more complex fashion, essentially duplicating all changes, and I think that would lead to the risk of us But it seems to me as though Gandi would be able to help their customers if they had one of their nameservers be located somewhere else than inside ASN 29169. FYI, Firefox complains about the Verisign verifier (https://dnssec-analyzer.verisignlabs.com/) being insecure due to using Symantec signatures. I wonder if we should consider setting up gtalug.org to use DNSSEC; that's a question to consider at an Ops meeting some time...
participants (3)
-
ac -
Christopher Browne -
Gordon Chillcott