we have a deployment of home gateways, based on OpenWrt BB that uses
dnsmasq v2.71 as resolver, with DNSSEC validation turned on. It seems some
Dnsmasq v2.71 does not support ECDSA. A rather large CDN uses ECDSA only.
I also found bug reports for Debian with same problem, because they also
Breakage occured, for instance www.ietf.org was not resolvable.
Our plan is now to disable DNSSEC validation on all of these HGWs.
So I read some documents:
I via these found RFC4035:
"If the resolver does not support any of the algorithms listed in an
authenticated DS RRset, then the resolver will not be able to verify
the authentication path to the child zone. In this case, the
resolver SHOULD treat the child zone as if it were unsigned."
So obviously dnsmasq doesn't implement this SHOULD, because it treats
these zones as bogus and doesn't respond back to the client.
(btw, what happens if the entire child zone and all its RRs are signed
with an unknown algoritm, is that even covered in the above paragraph?)
It took us a while to figure out why things didn't work. We even fault
reported this to the CDN who never at any time (during their prompt and
friendly communication) indicated that they had any knowledge of resolvers
that didn't support their chosen algorithm, or pointed me in that
So... my question to you fine people is:
Is there any (existing and freely available) testing suite I can run
against my chosen resolver that tests all the SHOULDs and MUSTs regarding
DNSSEC validation, including future proofing for new algorithms?
If not, I would like to call upon for instance ccTLD registrys, ISOC and
others, to develop a test suite for this, maintain it over time, and make
it freely available.
I like DNSSEC and want to see it widely deployed. It's an important part
of Internet plumbing. These kinds of problems that I've had last weeks
mean people who oppose it with FUD actually have concrete breakage to
point at that means it's not "Uncertain" anymore.
Mikael Abrahamsson email: swm...@swm.pp.se
DNSOP mailing list