Upload
john-thomas-rogan
View
219
Download
0
Embed Size (px)
Citation preview
7/30/2019 Dnssec Manual
1/2
IntroductionTheDNSSECCheckingtoolisanapplicationthatisabletovalidateyourDNSSECzones.Thismonitoring
toolisabletofind:
networkrelatedissues,suchasfirewallproblems trustrelatedissues,suchasincorrectsecureparenttochilddelegations zonerelatedissues,suchastime/durationproblems DNSSECchoices,suchasNSECvs.NSEC3
TheDNSSECMonitoringtoolcanbeconsultedonline;itisthereforenotnecessarytoinstallany
additionalprograms.
FunctionalityThe
DNSSEC
Monitoring
tool
offers
the
following
functionality:
Itispossibletoexecuteachainvalidationcheckthatdeterminesifthecompletechainoftrustfromthesecureentrypointtothezoneissecureandifthesignaturebelongingtothegiven
domainnameanddomaintypeiscorrect.Herewedistinguish:o TCPcheck,whichteststheTCPresponsefortheauthoritativeserversthatbelongtothe
zonerelatedtothedomainname.o UDPcheck,whichteststheUDPresponsefortheauthoritativeserversthatbelongto
thezonerelatedtothedomainname. AnEDNS0validationcheckcanbeexecutedtoseewhattheminimalandmaximalpacketsizeis
forthe
zone,
belonging
to
the
given
domainname.ThischeckisdoneforeachknownNSrecord.
TheNSEC3checkwillperformachecktofindoutwhichsecuredenialofexistencemechanismisused.ItisadvisabletouseNSEC3topreventzoneenumeration.
TheTTLcheckwillverifywhethertheTTLparametersusedinthezonecomplywiththerecommendationsinRFC4641bis.
OutputForeachoutputadditionalinformationcanbeprovided.Toviewthisinformation,moveyourmouse
overthereportedvalue.
CHAINvalidationo OK:Thewholechain,includingallrelatedkeysandsignaturesiscorrect.o WARNING:Therelatedrecordand/orzoneisnotusingDNSSECortherewasatimeout.o CRITICAL:Thechainhasbeenbrokenorthesignaturesdonotmatchtheassociated
key(s).
o UNKNOWN:Someinternalerroroccurred.
7/30/2019 Dnssec Manual
2/2
IfthereisatimeoutfortheUDPcheck,butnotfortheTCPcheckwesuggestthatyoutakea
lookattheEDNS0validationcheck.
EDNS0validationo OK:Thecurrentsizeofthepacketscanpassthroughalllinksonthepathfromthe
authoritativeservertotheDNSSECchecker.
o CRITICAL:TheauthoritativenameserverdoesnotsupportEDNS0,oroneoftheroutersonthepathfromtheauthoritativeservertotheDNSSECcheckerdoesnotsupport
EDNS0.
o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. NSEC3check
o OK:ThiszoneisusingNSEC3(withoutOPTOUT).o WARNING:ThiszoneisusingNSECorNSEC3withOPTOUTornoNSEC(3)recordswere
found.WeadviseyoutochangetoNSEC3(withoutOPTOUT).
o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. TTLcheck
o OK:ThiszonecomplieswithallrecommendationsinRFC4641bis.o WARNING:Thereareoneormoreparametersthatdonotcomplywiththe
recommendationsinRFC4641bis.
o UNKNOWN:TherearenotenoughTTLvaluesfoundtodothecalculationsrequired,thereweretimeoutsorsomeinternalerroroccurred.
QuestionsandInterferenceIfyouhavequestionsabouttheDNSSECMonitoringtool,feelfreetomailmigiel.devos[at]surfnet.nl
Sincethe
DNSSEC
Monitoring
tool
is
anon
managed
service,
we
cannot
provide
service
regarding
responsetimewhenthereisanydowntime.Neverthelesswewouldliketobeinformedwhenyousee
anyabnormalities.Feelfreetomailmigiel.devos[at]surfnet.nl