Anand, Thanks, those are some good suggestions.
I don't think this will turn out into DNSViz or Verisign's DNSsec debugger, and it's my intention that this NAGIOS check primarily is to verify that the DNS resolver is configured for DNSsec validation, not to verify that any one zone is healthy or functioning. As Edward Lewis mentioned in an earlier posting, the ideal situation is to use good and canary zones under ones' own control. We don't want a NAGIOS check to fail because a zone used for testing isn't working as expected (and the fault is the zone, not the resolver). For that reason, I will be using several good and canary zones to test for DNSsec validation. Frank -----Original Message----- From: Anand Buddhdev [mailto:[email protected]] Sent: Friday, July 17, 2015 3:14 AM To: Frank Bulk; [email protected] Subject: Re: Verifying that a recursor is performing DNSSec validation On 17/07/15 07:51, Frank Bulk wrote: > I've completed writing the first iteration of a NAGIOS-oriented Perl script > that does the checks I've described. It was actually more painful to get > the Net:DNS:DNSsec Perl module installed than anything else. I haven't seen your script, of course, so I can't know the specifics, but may I suggest the following logic? 1. First send a query to the resolver with CD=1. This tells the resolver you don't want it to do validation. This will catch the case where a zone doesn't resolve for other reasons (unreachable name servers, expired, etc). 2. If you get back a good result, then repeat the query with CD=0. If you still get back an answer, and AD is set, then you know you have a good dnssec-signed zone. If you get an answer, but AD is not set, then the zone doesn't have a chain of trust (but could still be signed). If it SERVFAILs this time, you can conclude that the zone is signed, but validation has failed. Of course this logic is simple, and doesn't get anywhere close to the likes of Casey Deccio's DSNViz or Verisign's DNSSEC debugger, but it's good enough for a Nagios check. Regards, Anand _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
