[GTALUG] Checking for DNSSEC

Discussion:

Gordon Chillcott via talk

2018-08-28 19:02:45 UTC

I got asked, off-line, by a couple of people if ICANN had any tools for
testing for DNSSEC. There are so I went in, dug them out and tried
them.

The question, by the way, was prompted by the news that the DNSSEC Key
Signing Key rollover will take place on or about October 11 – this has
been delayed twice.

Now. To get to the DNSSEC tests, you can go to:

https://www.icann.org/resources/pages//tools-2012-02-25-en

This will bring up a list of four tests:
- a DNS Visualization test
- a “DNS Check”
- a DNSSEC Analyzer
- an SIDN DNSSEC Test

All but the last take a domain as an argument (entered in a text window
on the page). The last one performs the test to where you're
connected.

I recommend you try each one to see which is right for you. Read the
results carefully, though. The “DNS Check” Seems to think it's OK if
DNSSEC is not there for the zone, as long as everything else is fine.

The last one gives you a link to a more comprehensive test at:

http://en.conn.internet.nl/connection/

That test covers things like IPV6 connectivity as well as DNSSEC.

Cheers,

Gordon

---
Talk Mailing List
***@gtal

ac via talk

2018-08-29 02:30:04 UTC

Permalink

On Tue, 28 Aug 2018 15:02:45 -0400

Post by Gordon Chillcott via talk
I got asked, off-line, by a couple of people if ICANN had any tools
for testing for DNSSEC. There are so I went in, dug them out and
tried them.
The question, by the way, was prompted by the news that the DNSSEC Key
Signing Key rollover will take place on or about October 11 – this has
been delayed twice.

i use dig (& scripts) - and yeah, October 11 - could still change,
again. it does not matter though as the present keys are valid past that...

just have to add that I am very much anti 'walled gardens' - so am
a proud dnssec fanboy :)

Andre
---
Talk Mailing List
***@g

Christopher Browne via talk

2018-08-30 17:35:22 UTC

Permalink

Thanks, Gord!

The one thing of interest that I noted in the "DNS Check"
(https://zonemaster.iis.se) for GTALUG.org was that our DNS hosting
via Gandi has perhaps insufficient diversity. To wit, there are
several warnings similar to "All nameservers in the delegation have
IPv4 addresses in the same AS (29169)."

I don't think we'd win much by adding an extra delegation separate
from Gandi (e.g. - adding an extra nameserver elsewhere) in practice,
given that we only have one server anyways. That would likely require
we publish our DNS information in a more complex fashion, essentially
duplicating all changes, and I think that would lead to the risk of us

But it seems to me as though Gandi would be able to help their
customers if they had one of their nameservers be located somewhere
else than inside ASN 29169.

FYI, Firefox complains about the Verisign verifier
(https://dnssec-analyzer.verisignlabs.com/) being insecure due to
using Symantec signatures.

I wonder if we should consider setting up gtalug.org to use DNSSEC;
that's a question to consider at an Ops meeting some time...
---
Talk Mailing List
***@gtalug.org
htt