not sure if it's exactly what you're looking for, but there's
https://github.com/CZ-NIC/deckard for (generic) resolver testing.
It mocks the environment for the tested binary, so you'll have to
provide a configuration template for dnsmasq.


On Fri, Oct 14, 2016 at 11:22 PM, Mikael Abrahamsson <swm...@swm.pp.se> wrote:
> Hi,
> we have a deployment of home gateways, based on OpenWrt BB that uses dnsmasq
> v2.71 as resolver, with DNSSEC validation turned on. It seems some
> Dnsmasq v2.71 does not support ECDSA. A rather large CDN uses ECDSA only. I
> also found bug reports for Debian with same problem, because they also used
> dnsmasq.
> Breakage occured, for instance www.ietf.org was not resolvable.
> Our plan is now to disable DNSSEC validation on all of these HGWs.
> So I read some documents:
> https://tools.ietf.org/html/draft-wouters-sury-dnsop-algorithm-update-02
> https://tools.ietf.org/html/draft-york-dnsop-deploying-dnssec-crypto-algs-01
> I via these found RFC4035:
> "If the resolver does not support any of the algorithms listed in an
>    authenticated DS RRset, then the resolver will not be able to verify
>    the authentication path to the child zone.  In this case, the
>    resolver SHOULD treat the child zone as if it were unsigned."
> So obviously dnsmasq doesn't implement this SHOULD, because it treats these
> zones as bogus and doesn't respond back to the client.
> (btw, what happens if the entire child zone and all its RRs are signed with
> an unknown algoritm, is that even covered in the above paragraph?)
> It took us a while to figure out why things didn't work. We even fault
> reported this to the CDN who never at any time (during their prompt and
> friendly communication) indicated that they had any knowledge of resolvers
> that didn't support their chosen algorithm, or pointed me in that direction.
> So... my question to you fine people is:
> Is there any (existing and freely available) testing suite I can run against
> my chosen resolver that tests all the SHOULDs and MUSTs regarding DNSSEC
> validation, including future proofing for new algorithms?
> If not, I would like to call upon for instance ccTLD registrys, ISOC and
> others, to develop a test suite for this, maintain it over time, and make it
> freely available.
> I like DNSSEC and want to see it widely deployed. It's an important part of
> Internet plumbing. These kinds of problems that I've had last weeks mean
> people who oppose it with FUD actually have concrete breakage to point at
> that means it's not "Uncertain" anymore.
> Thanks.
> --
> Mikael Abrahamsson    email: swm...@swm.pp.se
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

DNSOP mailing list

Reply via email to