[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DNSSEC Readiness
- Subject: DNSSEC Readiness
- From: fw at deneb.enyo.de (Florian Weimer)
- Date: Mon, 15 Feb 2010 20:04:41 +0100
- In-reply-to: <[email protected]> (Charles N. Wyble's message of "Mon, 15 Feb 2010 10:14:54 -0800")
- References: <[email protected]>
* Charles N. Wyble:
> How are folks verifying DNSSEC readiness of their environments? Any
> existing testing methodologies / resources that folks are using?
For now, running (with a real resolver address instead of 192.0.2.1)
dig @192.0.2.1 $RANDOM. +dnssec
and checking if a certain percentage of the responses include DNSSEC
data. This means that your resolver can get data from DURZ-enabled
servers, so you should be fine when the root is signed.
If your resolvers are not security-aware, use
dig @192.0.2.1 . NSEC
dig @192.0.2.1 . RRSIG
dig @192.0.2.1 . DNSKEY
but you can run this variant of the test only once per day.
If you never, ever get any DNSSEC data for these queries, you will
very likely have a problem once all root servers have switched to
serving DURZ (and later DNSSEC) data.
> It seems like this is something that will become a front and center
> issue for help desks everywhere pretty quick. :)
Why do you think so? Would you even notice if your webmail provider
switches to HTTPS by default (or back to HTTP)?