On 15/10/2016 01:22, Mikael Abrahamsson wrote:
> So... my question to you fine people is:
> Is there any (existing and freely available) testing suite I can run
> against my chosen resolver that tests all the SHOULDs and MUSTs
> regarding DNSSEC validation, including future proofing for new algorithms?
> If not, I would like to call upon for instance ccTLD registrys, ISOC and
> others, to develop a test suite for this, maintain it over time, and
> make it freely available.
> I like DNSSEC and want to see it widely deployed. It's an important part
> of Internet plumbing. These kinds of problems that I've had last weeks
> mean people who oppose it with FUD actually have concrete breakage to
> point at that means it's not "Uncertain" anymore.
It's not exactly what you've asked for, but I have an iOS app under
development that can test your phone's configured resolvers for various
DNS protocol conformance issues.
At the moment the extent of the DNSSEC specific tests is to check that a
query for the root zone's SOA with the +CD flag returns the expected RRSIGs.
I hadn't considered algorithm-specific tests, but the app could in
theory include tests for whether zones known to be signed with specific
algorithms can be correctly resolved with +AD returned.
DNSOP mailing list