Hi, not sure if it's exactly what you're looking for, but there's https://github.com/CZ-NIC/deckard for (generic) resolver testing. It mocks the environment for the tested binary, so you'll have to provide a configuration template for dnsmasq.
Marek On Fri, Oct 14, 2016 at 11:22 PM, Mikael Abrahamsson <[email protected]> wrote: > > Hi, > > we have a deployment of home gateways, based on OpenWrt BB that uses dnsmasq > v2.71 as resolver, with DNSSEC validation turned on. It seems some > > Dnsmasq v2.71 does not support ECDSA. A rather large CDN uses ECDSA only. I > also found bug reports for Debian with same problem, because they also used > dnsmasq. > > Breakage occured, for instance www.ietf.org was not resolvable. > > Our plan is now to disable DNSSEC validation on all of these HGWs. > > So I read some documents: > > https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02 > https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-01 > > I via these found RFC4035: > > "If the resolver does not support any of the algorithms listed in an > authenticated DS RRset, then the resolver will not be able to verify > the authentication path to the child zone. In this case, the > resolver SHOULD treat the child zone as if it were unsigned." > > So obviously dnsmasq doesn't implement this SHOULD, because it treats these > zones as bogus and doesn't respond back to the client. > > (btw, what happens if the entire child zone and all its RRs are signed with > an unknown algoritm, is that even covered in the above paragraph?) > > It took us a while to figure out why things didn't work. We even fault > reported this to the CDN who never at any time (during their prompt and > friendly communication) indicated that they had any knowledge of resolvers > that didn't support their chosen algorithm, or pointed me in that direction. > > So... my question to you fine people is: > > Is there any (existing and freely available) testing suite I can run against > my chosen resolver that tests all the SHOULDs and MUSTs regarding DNSSEC > validation, including future proofing for new algorithms? > > If not, I would like to call upon for instance ccTLD registrys, ISOC and > others, to develop a test suite for this, maintain it over time, and make it > freely available. > > I like DNSSEC and want to see it widely deployed. It's an important part of > Internet plumbing. These kinds of problems that I've had last weeks mean > people who oppose it with FUD actually have concrete breakage to point at > that means it's not "Uncertain" anymore. > > Thanks. > > -- > Mikael Abrahamsson email: [email protected] > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
