nanog mailing list archives
Re: DNSSEC deployment testing and awareness
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 30 Mar 2010 21:29:22 +0200
* Phil Regnauld:
Fair enough. Some simple "check your DNS reply size test
[what is this ?]" page ought to be set up, with a simple
explanagtion. "checkmydns.org" is available. If I get 5
minutes... :)
Reply sizes are a red herring. You need something that looks at the result of ./IN/DNSKEY, ./IN/RRSIG, ./IN/NSEC. At least one of these queries should return data, some of the time. (Unfortunately, the test is probabilistic.) Then you know that your resolver can receive data from the signed root and will not cease to work when all the roots serve the signed zone. Other tests can't tell you that. If your resolver is DNSSEC-aware, you can force cache misses by using random query names with a non-existing TLD. This variant of the test is much easier to carry out.
Current thread:
- Re: IPv4 ANYCAST setup, (continued)
- Re: IPv4 ANYCAST setup Joe Abley (Mar 26)
- Re: IPv4 ANYCAST setup Owen DeLong (Mar 26)
- Re: IPv4 ANYCAST setup Joe Abley (Mar 26)
- Re: IPv4 ANYCAST setup Kevin Oberman (Mar 29)
- Re: IPv4 ANYCAST setup Randy Bush (Mar 29)
- Re: IPv4 ANYCAST setup Tony Finch (Mar 30)
- Re: IPv4 ANYCAST setup Randy Bush (Mar 30)
- DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) Phil Regnauld (Mar 30)
- Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) Robert Kisteleki (Mar 30)
- Re: DNSSEC deployment testing and awareness (Was: Re: IPv4 ANYCAST setup) Phil Regnauld (Mar 30)
- Re: DNSSEC deployment testing and awareness Florian Weimer (Mar 30)
- Re: IPv4 ANYCAST setup bmanning (Mar 30)
- Re: IPv4 ANYCAST setup Valdis . Kletnieks (Mar 30)
- Re: IPv4 ANYCAST setup Phil Regnauld (Mar 30)
- Re: IPv4 ANYCAST setup Jens Link (Mar 30)
- Re: IPv4 ANYCAST setup Tony Finch (Mar 30)
- Re: IPv4 ANYCAST setup Joe Greco (Mar 30)
- DNSSEC and Firewalls (was Re: IPv4 ANYCAST setup) Sean Donelan (Mar 31)