not sure if it's exactly what you're looking for, but there's
https://github.com/CZ-NIC/deckard for (generic) resolver testing.
It mocks the environment for the tested binary, so you'll have to
provide a configuration template for dnsmasq.
On Fri, Oct 14, 2016 at 11:22 PM, Mikael Abrahamsson <swm...@swm.pp.se> wrote:
> we have a deployment of home gateways, based on OpenWrt BB that uses dnsmasq
> v2.71 as resolver, with DNSSEC validation turned on. It seems some
> Dnsmasq v2.71 does not support ECDSA. A rather large CDN uses ECDSA only. I
> also found bug reports for Debian with same problem, because they also used
> Breakage occured, for instance www.ietf.org was not resolvable.
> Our plan is now to disable DNSSEC validation on all of these HGWs.
> So I read some documents:
> I via these found RFC4035:
> "If the resolver does not support any of the algorithms listed in an
> authenticated DS RRset, then the resolver will not be able to verify
> the authentication path to the child zone. In this case, the
> resolver SHOULD treat the child zone as if it were unsigned."
> So obviously dnsmasq doesn't implement this SHOULD, because it treats these
> zones as bogus and doesn't respond back to the client.
> (btw, what happens if the entire child zone and all its RRs are signed with
> an unknown algoritm, is that even covered in the above paragraph?)
> It took us a while to figure out why things didn't work. We even fault
> reported this to the CDN who never at any time (during their prompt and
> friendly communication) indicated that they had any knowledge of resolvers
> that didn't support their chosen algorithm, or pointed me in that direction.
> So... my question to you fine people is:
> Is there any (existing and freely available) testing suite I can run against
> my chosen resolver that tests all the SHOULDs and MUSTs regarding DNSSEC
> validation, including future proofing for new algorithms?
> If not, I would like to call upon for instance ccTLD registrys, ISOC and
> others, to develop a test suite for this, maintain it over time, and make it
> freely available.
> I like DNSSEC and want to see it widely deployed. It's an important part of
> Internet plumbing. These kinds of problems that I've had last weeks mean
> people who oppose it with FUD actually have concrete breakage to point at
> that means it's not "Uncertain" anymore.
> Mikael Abrahamsson email: swm...@swm.pp.se
> DNSOP mailing list
DNSOP mailing list