Is my network ready for DNSSEC?
In order to check if your network is prepared to DNSSEC, get acquainted with this guide and carry out recommended tests. For tests, please use command dig from BIND packet, available to download also for Windows systems at www.isc.org.
A basic test may be carried out by executing the following command:
$ dig +short rs.dns-oarc.net txt rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "127.0.0.1 sent EDNS buffer size 4096" "127.0.0.1 DNS reply size limit is at least 3843" "Tested at 2012-04-03 10:48:03 UTC"
Thanks to OARC servers you will learn what is the maximum size of DNS UDP packets reaching a resolver. Operational functions are provided here.
Complete set of tests with descriptions:
-
Basic test
To be sure that delivered results of successive tests are correct, please check if basic DNS queries are operating properly. For this purpose, query one of root servers for NS records for root zones:
$ dig +nodnssec +norec +ignore ns . @L.ROOT-SERVERS.NET ; <<>> DiG <<>> +nodnssec +norec +ignore ns . @L.ROOT-SERVERS.NET ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4246 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 128.8.10.90 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 128.63.2.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d ;; Query time: 52 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Tue Apr 3 13:10:16 2012 ;; MSG SIZE rcvd: 492
-
Test of UDP packet size
Sprawdź, czy twój system jest w stanie przyjąć odpowiedź UDP większą niż 512 bajtów. Dzięki temu testowi dowiesz się, czy firewalle po drodze nie blokują pakietów UDP większych niż 512 bajtów. Większość podpisanych odpowiedzi zmieści się w 1500 bajtach i zostanie do ciebie wysłana w postaci jednego, niepofragmentowanego pakietu UDP. Żeby to sprawdzić zapytaj jeden z serwerów root o podpisaną odpowiedź:
$ dig +dnssec +norec +ignore +multi ns . @L.ROOT-SERVERS.NET ; <<>> DiG <<>> +dnssec +norec +ignore +multi ns . @L.ROOT-SERVERS.NET ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41274 ;; flags: qr aa; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 23 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20120410000000 ( 20120402230000 56158 . VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26 RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89 PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= ) ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 128.8.10.90 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 128.63.2.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d f.root-servers.net. 518400 IN AAAA 2001:500:2f::f h.root-servers.net. 518400 IN AAAA 2001:500:1::803f:235 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN AAAA 2001:500:3::42 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 ;; Query time: 38 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Tue Apr 3 13:12:28 2012 ;; MSG SIZE rcvd: 857 -
Fragmentation test
A next step is to check if your system accepts UDP packets larger than 1500 bites. Such packets, due to network settings, may be fragmented, which in turn, may result in blocking the traffic by a firewall. A query for ANY record will be responded with a packet of more than 1500 bites.
$ dig +dnssec +norec +ignore +multi any . @L.ROOT-SERVERS.NET ; <<>> DiG <<>> +dnssec +norec +ignore +multi any . @L.ROOT-SERVERS.NET ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64562 ;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 23 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN ANY ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20120410000000 ( 20120402230000 56158 . VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26 RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89 PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= ) . 172800 IN DNSKEY 256 3 8 ( AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5 GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig3 6TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl 1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF ) ; key id = 51201 . 172800 IN DNSKEY 256 3 8 ( AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y 9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7 PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvo ECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ ) ; key id = 56158 . 172800 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 . 172800 IN RRSIG DNSKEY 8 0 172800 20120415235959 ( 20120401000000 19036 . ly6pyLFGPrPjLaG4nNttLQsbczbF/TFAtyU305vIMJth W2Afx1OHwWCFT8zGf/g7WiqaLSEdK8M0H6tf5pf9lCFD j0H9nLBlYTiRrZ+7BE8/lUP99hUiSxa9KakTkBUYH0Cw /DnQ+h0Dl8ew/+QsaO4SKTJL+c1KdV3xjkYGjr6O9RUx SIMmgA39DSNM7hzNdRU4O4iujJ6ZI8zrHjnkX3GmRlEr dRyMb33CMcvC2DvIvZmkwYED/T1IVuQQhiqOAYyfMpVx NnbZVlsxPkeHtE5v1DDcTXGY7cREd2D7Uu1gOrR7AlQG 5CITlNisjAc5U/Yp1fzA0wbmJnWCtCSYgA== ) . 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY . 86400 IN RRSIG NSEC 8 0 86400 20120410000000 ( 20120402230000 56158 . HFihpTQxqsMwZnADbG9pFtW+V/0D8Idx+uvyQm5OoPfC KKs7KdvP9p80LZdsRglnD5HbpvNjsyuyEz5XnZ+wa5wR iCeLpOPsez8bt3tq1A+wbSSttKiwPjJHwKVVBE87HRQZ NXBP9elrahYHZJziXi6bwBBwD+fto62Ph3D7bIc= ) . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2012040300 ; serial 1800 ; refresh (30 minutes) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) . 86400 IN RRSIG SOA 8 0 86400 20120410000000 ( 20120402230000 56158 . nWwym1VLQxy87p6vVpQ0n1diSbpiWI0Zmc5TwT0hMFso v3iNdJxaTfjcA/HBlsNaHkD7xK71TNYqyCCqU+rNRATv N7SSiKS5Q15Ka4Dbv2NYv1HGkzXPCtuK54bH5B3URpLD qh6X4Ga6t2Dw88OEu2T+nW4nVtyYvn8h56tOZoE= ) ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 128.8.10.90 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 128.63.2.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d f.root-servers.net. 518400 IN AAAA 2001:500:2f::f h.root-servers.net. 518400 IN AAAA 2001:500:1::803f:235 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN AAAA 2001:500:3::42 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 ;; Query time: 48 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Tue Apr 3 13:14:08 2012 ;; MSG SIZE rcvd: 2109 -
TCP packet test
The last step is to check if your system is able to establish a TCP connection if its UDP counterpart fails. A DNS response to that query will look the same as to the query, referred to in par. 3, the only difference being the time of response.
$ dig +dnssec +norec +vc +multi any . @L.ROOT-SERVERS.NET ; <<>> DiG <<>> +dnssec +norec +vc +multi any . @L.ROOT-SERVERS.NET ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16156 ;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 23 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN ANY ;; ANSWER SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20120410000000 ( 20120402230000 56158 . VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26 RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89 PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= ) . 172800 IN DNSKEY 256 3 8 ( AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5 GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig3 6TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl 1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF ) ; key id = 51201 . 172800 IN DNSKEY 256 3 8 ( AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y 9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7 PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvo ECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ ) ; key id = 56158 . 172800 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 . 172800 IN RRSIG DNSKEY 8 0 172800 20120415235959 ( 20120401000000 19036 . ly6pyLFGPrPjLaG4nNttLQsbczbF/TFAtyU305vIMJth W2Afx1OHwWCFT8zGf/g7WiqaLSEdK8M0H6tf5pf9lCFD j0H9nLBlYTiRrZ+7BE8/lUP99hUiSxa9KakTkBUYH0Cw /DnQ+h0Dl8ew/+QsaO4SKTJL+c1KdV3xjkYGjr6O9RUx SIMmgA39DSNM7hzNdRU4O4iujJ6ZI8zrHjnkX3GmRlEr dRyMb33CMcvC2DvIvZmkwYED/T1IVuQQhiqOAYyfMpVx NnbZVlsxPkeHtE5v1DDcTXGY7cREd2D7Uu1gOrR7AlQG 5CITlNisjAc5U/Yp1fzA0wbmJnWCtCSYgA== ) . 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY . 86400 IN RRSIG NSEC 8 0 86400 20120410000000 ( 20120402230000 56158 . HFihpTQxqsMwZnADbG9pFtW+V/0D8Idx+uvyQm5OoPfC KKs7KdvP9p80LZdsRglnD5HbpvNjsyuyEz5XnZ+wa5wR iCeLpOPsez8bt3tq1A+wbSSttKiwPjJHwKVVBE87HRQZ NXBP9elrahYHZJziXi6bwBBwD+fto62Ph3D7bIc= ) . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. ( 2012040300 ; serial 1800 ; refresh (30 minutes) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) . 86400 IN RRSIG SOA 8 0 86400 20120410000000 ( 20120402230000 56158 . nWwym1VLQxy87p6vVpQ0n1diSbpiWI0Zmc5TwT0hMFso v3iNdJxaTfjcA/HBlsNaHkD7xK71TNYqyCCqU+rNRATv N7SSiKS5Q15Ka4Dbv2NYv1HGkzXPCtuK54bH5B3URpLD qh6X4Ga6t2Dw88OEu2T+nW4nVtyYvn8h56tOZoE= ) ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 128.8.10.90 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 128.63.2.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 d.root-servers.net. 518400 IN AAAA 2001:500:2d::d f.root-servers.net. 518400 IN AAAA 2001:500:2f::f h.root-servers.net. 518400 IN AAAA 2001:500:1::803f:235 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN AAAA 2001:500:3::42 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 ;; Query time: 107 msec ;; SERVER: 199.7.83.42#53(199.7.83.42) ;; WHEN: Tue Apr 3 13:15:11 2012 ;; MSG SIZE rcvd: 2109
If one of the above tests fails, you have no guarantee that you will be able to use all the functionalities offered by DNSSEC. In this situation, please contact your Internet service provider.