You are on page 1of 2

Introduction

TheDNSSECCheckingtoolisanapplicationthatisabletovalidateyourDNSSECzones.Thismonitoring toolisabletofind: networkrelatedissues,suchasfirewallproblems trustrelatedissues,suchasincorrectsecureparenttochilddelegations zonerelatedissues,suchastime/durationproblems DNSSECchoices,suchasNSECvs.NSEC3

TheDNSSECMonitoringtoolcanbeconsultedonline;itisthereforenotnecessarytoinstallany additionalprograms.

Functionality
TheDNSSECMonitoringtooloffersthefollowingfunctionality: Itispossibletoexecuteachainvalidationcheckthatdeterminesifthecompletechainoftrust fromthesecureentrypointtothezoneissecureandifthesignaturebelongingtothegiven domainnameanddomaintypeiscorrect.Herewedistinguish: o TCPcheck,whichteststheTCPresponsefortheauthoritativeserversthatbelongtothe zonerelatedtothedomainname. o UDPcheck,whichteststheUDPresponsefortheauthoritativeserversthatbelongto thezonerelatedtothedomainname. AnEDNS0validationcheckcanbeexecutedtoseewhattheminimalandmaximalpacketsizeis forthezone,belongingtothegivendomainname.ThischeckisdoneforeachknownNSrecord. TheNSEC3checkwillperformachecktofindoutwhichsecuredenialofexistencemechanismis used.ItisadvisabletouseNSEC3topreventzoneenumeration. TheTTLcheckwillverifywhethertheTTLparametersusedinthezonecomplywiththe recommendationsinRFC4641bis.

Output
Foreachoutputadditionalinformationcanbeprovided.Toviewthisinformation,moveyourmouse overthereportedvalue. CHAINvalidation o OK:Thewholechain,includingallrelatedkeysandsignaturesiscorrect. o WARNING:Therelatedrecordand/orzoneisnotusingDNSSECortherewasatimeout. o CRITICAL:Thechainhasbeenbrokenorthesignaturesdonotmatchtheassociated key(s). o UNKNOWN:Someinternalerroroccurred.

IfthereisatimeoutfortheUDPcheck,butnotfortheTCPcheckwesuggestthatyoutakea lookattheEDNS0validationcheck. EDNS0validation o OK:Thecurrentsizeofthepacketscanpassthroughalllinksonthepathfromthe authoritativeservertotheDNSSECchecker. o CRITICAL:TheauthoritativenameserverdoesnotsupportEDNS0,oroneoftherouters onthepathfromtheauthoritativeservertotheDNSSECcheckerdoesnotsupport EDNS0. o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. NSEC3check o OK:ThiszoneisusingNSEC3(withoutOPTOUT). o WARNING:ThiszoneisusingNSECorNSEC3withOPTOUTornoNSEC(3)recordswere found.WeadviseyoutochangetoNSEC3(withoutOPTOUT). o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. TTLcheck o OK:ThiszonecomplieswithallrecommendationsinRFC4641bis. o WARNING:Thereareoneormoreparametersthatdonotcomplywiththe recommendationsinRFC4641bis. o UNKNOWN:TherearenotenoughTTLvaluesfoundtodothecalculationsrequired, thereweretimeoutsorsomeinternalerroroccurred.

QuestionsandInterference
IfyouhavequestionsabouttheDNSSECMonitoringtool,feelfreetomailmigiel.devos[at]surfnet.nl SincetheDNSSECMonitoringtoolisanonmanagedservice,wecannotprovideserviceregarding responsetimewhenthereisanydowntime.Neverthelesswewouldliketobeinformedwhenyousee anyabnormalities.Feelfreetomailmigiel.devos[at]surfnet.nl

You might also like