Dnssec Manual

Embed Size (px)

Citation preview

  • 7/30/2019 Dnssec Manual

    1/2

    IntroductionTheDNSSECCheckingtoolisanapplicationthatisabletovalidateyourDNSSECzones.Thismonitoring

    toolisabletofind:

    networkrelatedissues,suchasfirewallproblems trustrelatedissues,suchasincorrectsecureparenttochilddelegations zonerelatedissues,suchastime/durationproblems DNSSECchoices,suchasNSECvs.NSEC3

    TheDNSSECMonitoringtoolcanbeconsultedonline;itisthereforenotnecessarytoinstallany

    additionalprograms.

    FunctionalityThe

    DNSSEC

    Monitoring

    tool

    offers

    the

    following

    functionality:

    Itispossibletoexecuteachainvalidationcheckthatdeterminesifthecompletechainoftrustfromthesecureentrypointtothezoneissecureandifthesignaturebelongingtothegiven

    domainnameanddomaintypeiscorrect.Herewedistinguish:o TCPcheck,whichteststheTCPresponsefortheauthoritativeserversthatbelongtothe

    zonerelatedtothedomainname.o UDPcheck,whichteststheUDPresponsefortheauthoritativeserversthatbelongto

    thezonerelatedtothedomainname. AnEDNS0validationcheckcanbeexecutedtoseewhattheminimalandmaximalpacketsizeis

    forthe

    zone,

    belonging

    to

    the

    given

    domainname.ThischeckisdoneforeachknownNSrecord.

    TheNSEC3checkwillperformachecktofindoutwhichsecuredenialofexistencemechanismisused.ItisadvisabletouseNSEC3topreventzoneenumeration.

    TheTTLcheckwillverifywhethertheTTLparametersusedinthezonecomplywiththerecommendationsinRFC4641bis.

    OutputForeachoutputadditionalinformationcanbeprovided.Toviewthisinformation,moveyourmouse

    overthereportedvalue.

    CHAINvalidationo OK:Thewholechain,includingallrelatedkeysandsignaturesiscorrect.o WARNING:Therelatedrecordand/orzoneisnotusingDNSSECortherewasatimeout.o CRITICAL:Thechainhasbeenbrokenorthesignaturesdonotmatchtheassociated

    key(s).

    o UNKNOWN:Someinternalerroroccurred.

  • 7/30/2019 Dnssec Manual

    2/2

    IfthereisatimeoutfortheUDPcheck,butnotfortheTCPcheckwesuggestthatyoutakea

    lookattheEDNS0validationcheck.

    EDNS0validationo OK:Thecurrentsizeofthepacketscanpassthroughalllinksonthepathfromthe

    authoritativeservertotheDNSSECchecker.

    o CRITICAL:TheauthoritativenameserverdoesnotsupportEDNS0,oroneoftheroutersonthepathfromtheauthoritativeservertotheDNSSECcheckerdoesnotsupport

    EDNS0.

    o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. NSEC3check

    o OK:ThiszoneisusingNSEC3(withoutOPTOUT).o WARNING:ThiszoneisusingNSECorNSEC3withOPTOUTornoNSEC(3)recordswere

    found.WeadviseyoutochangetoNSEC3(withoutOPTOUT).

    o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. TTLcheck

    o OK:ThiszonecomplieswithallrecommendationsinRFC4641bis.o WARNING:Thereareoneormoreparametersthatdonotcomplywiththe

    recommendationsinRFC4641bis.

    o UNKNOWN:TherearenotenoughTTLvaluesfoundtodothecalculationsrequired,thereweretimeoutsorsomeinternalerroroccurred.

    QuestionsandInterferenceIfyouhavequestionsabouttheDNSSECMonitoringtool,feelfreetomailmigiel.devos[at]surfnet.nl

    Sincethe

    DNSSEC

    Monitoring

    tool

    is

    anon

    managed

    service,

    we

    cannot

    provide

    service

    regarding

    responsetimewhenthereisanydowntime.Neverthelesswewouldliketobeinformedwhenyousee

    anyabnormalities.Feelfreetomailmigiel.devos[at]surfnet.nl