Professional Documents
Culture Documents
TheDNSSECMonitoringtoolcanbeconsultedonline;itisthereforenotnecessarytoinstallany additionalprograms.
Functionality
TheDNSSECMonitoringtooloffersthefollowingfunctionality: Itispossibletoexecuteachainvalidationcheckthatdeterminesifthecompletechainoftrust fromthesecureentrypointtothezoneissecureandifthesignaturebelongingtothegiven domainnameanddomaintypeiscorrect.Herewedistinguish: o TCPcheck,whichteststheTCPresponsefortheauthoritativeserversthatbelongtothe zonerelatedtothedomainname. o UDPcheck,whichteststheUDPresponsefortheauthoritativeserversthatbelongto thezonerelatedtothedomainname. AnEDNS0validationcheckcanbeexecutedtoseewhattheminimalandmaximalpacketsizeis forthezone,belongingtothegivendomainname.ThischeckisdoneforeachknownNSrecord. TheNSEC3checkwillperformachecktofindoutwhichsecuredenialofexistencemechanismis used.ItisadvisabletouseNSEC3topreventzoneenumeration. TheTTLcheckwillverifywhethertheTTLparametersusedinthezonecomplywiththe recommendationsinRFC4641bis.
Output
Foreachoutputadditionalinformationcanbeprovided.Toviewthisinformation,moveyourmouse overthereportedvalue. CHAINvalidation o OK:Thewholechain,includingallrelatedkeysandsignaturesiscorrect. o WARNING:Therelatedrecordand/orzoneisnotusingDNSSECortherewasatimeout. o CRITICAL:Thechainhasbeenbrokenorthesignaturesdonotmatchtheassociated key(s). o UNKNOWN:Someinternalerroroccurred.
IfthereisatimeoutfortheUDPcheck,butnotfortheTCPcheckwesuggestthatyoutakea lookattheEDNS0validationcheck. EDNS0validation o OK:Thecurrentsizeofthepacketscanpassthroughalllinksonthepathfromthe authoritativeservertotheDNSSECchecker. o CRITICAL:TheauthoritativenameserverdoesnotsupportEDNS0,oroneoftherouters onthepathfromtheauthoritativeservertotheDNSSECcheckerdoesnotsupport EDNS0. o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. NSEC3check o OK:ThiszoneisusingNSEC3(withoutOPTOUT). o WARNING:ThiszoneisusingNSECorNSEC3withOPTOUTornoNSEC(3)recordswere found.WeadviseyoutochangetoNSEC3(withoutOPTOUT). o UNKNOWN:Thereweretimeoutsorsomeinternalerroroccurred. TTLcheck o OK:ThiszonecomplieswithallrecommendationsinRFC4641bis. o WARNING:Thereareoneormoreparametersthatdonotcomplywiththe recommendationsinRFC4641bis. o UNKNOWN:TherearenotenoughTTLvaluesfoundtodothecalculationsrequired, thereweretimeoutsorsomeinternalerroroccurred.
QuestionsandInterference
IfyouhavequestionsabouttheDNSSECMonitoringtool,feelfreetomailmigiel.devos[at]surfnet.nl SincetheDNSSECMonitoringtoolisanonmanagedservice,wecannotprovideserviceregarding responsetimewhenthereisanydowntime.Neverthelesswewouldliketobeinformedwhenyousee anyabnormalities.Feelfreetomailmigiel.devos[at]surfnet.nl