-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello OpenDNSSEC community,
in the light of the recent DNSSEC failures at some TLDs I've started to collect a list of checks that should be applied to a DNSSEC signed zone before it is deployed on a public authoritative server. OpenDNSSEC includes the Auditor, but I couldn't find any documentation about the individual checks the Auditor does to a signed zone other than reading the source (what I then did). It would be useful for the DNSSEC community to have a 'best practice' document that lists the 'what can go wrong and how to test' for a DNSSEC zone. I started this list below, but it is incomplete at the moment. Some assumptions might be wrong. I would appreciate any feedback and additions to this list. The final list will be made public for anyone to use. - -----(snip)----- DNSSEC zone "pre-flight" checks * Completeness ** check that all RRs records from the unsigned zone appear in the signed zone ** check that all public DNSKEY records appear in the zone (all published ZSK/KSK) * Keys ** check that zone has an active ZSK ** check that zone has an active KSK ** check then keys have correct algorithm ** check that keys have correct length * Signatures ** check that every authoritative RR have RRSIG records created by all active ZSK ** check that the DNSKEY RRs have RRSIG records created by all active KSK ** check that all signatures are inside their lifetime ** check that all signatures have enough lifetime left (depends on RRSIG lifetimes) ** check that the algorithm used for RRSIG matches the defined algorithm for this zone ** check that delegations are not signed * Chain of trust ** check that all active KSKs have a matching DS record in the parent ** check that all DS records in the parent match an active KSK in the zone * NSEC/NSEC3 ** check that every RR-Set has an NSEC/NSEC3 (if not in opt out) ** check that NSEC3 records match the NSEC3PARAM values ** check that the NSEC/NSEC3 chain is unbroken ** check that TTLs of NSEC/NSEC3 match ** check that DNSKEY algorithm matches NSEC/NSEC3 ** check that only one NSEC3PARAM RR exist for NSEC3 ** if zone contains NSEC3 records, check that NSEC3PARAM RR exist ** each NSEC3 RR in the zone should use the same salt and iterations DNSSEC post-deployment check * Completeness ** check that deployed (published) zone matches the "pre-fligh" zone ** check that zone validates from a trust-anchor down - -----(snip)----- Best regards Carsten Strotmann -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2MdIYACgkQElgUYvSqn/Q3FwCgkIWRfGcwX0bEAGGbLCX2KtoY EooAnjLOtZb7IvjYv7vE2yTqxziabeNa =ASoa -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
