Re: [DNSOP] ECDSA woes

2016-10-15 Thread Geoff Huston
> On 16 Oct. 2016, at 2:53 am, Mikael Abrahamsson wrote: > > On Sat, 15 Oct 2016, Ralf Weber wrote: > >> Geoff Houston did some research here some years ago and just did an update >> to his findings. You might want to look at: >>

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Ólafur Guðmundsson
I have domains signed by all combinations of signing algorithms and DS digests as well as Nsec variants Ds-n.alg-m-nsec.dnssec-test.org Replace n with 1..4 M with 1..14 Nsec is one of Nsec nsec3 none Ólafur sent from phone On Oct 15, 2016 17:29, "Geoff Huston" wrote: > > > On

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Mikael Abrahamsson
On Sat, 15 Oct 2016, Ralf Weber wrote: Geoff Houston did some research here some years ago and just did an update to his findings. You might want to look at: http://www.potaroo.net/ispcol/2016-10/ecdsa-v2.html Do we know how many experiments failed because the resolver erroneously

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Marek Vavruša
Hi, not sure if it's exactly what you're looking for, but there's https://github.com/CZ-NIC/deckard for (generic) resolver testing. It mocks the environment for the tested binary, so you'll have to provide a configuration template for dnsmasq. Marek On Fri, Oct 14, 2016 at 11:22 PM, Mikael

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Ray Bellis
On 15/10/2016 01:22, Mikael Abrahamsson wrote: > So... my question to you fine people is: > > Is there any (existing and freely available) testing suite I can run > against my chosen resolver that tests all the SHOULDs and MUSTs > regarding DNSSEC validation, including future proofing for new

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Roy Arends
> On 15 Oct 2016, at 07:22, Mikael Abrahamsson wrote: > > > Hi, > > we have a deployment of home gateways, based on OpenWrt BB that uses dnsmasq > v2.71 as resolver, with DNSSEC validation turned on. It seems some > > Dnsmasq v2.71 does not support ECDSA. A rather large

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Mikael Abrahamsson
On Sat, 15 Oct 2016, Ray Bellis wrote: I hadn't considered algorithm-specific tests, but the app could in theory include tests for whether zones known to be signed with specific algorithms can be correctly resolved with +AD returned. What I would like to see are tests like: set up a domain

Re: [DNSOP] ECDSA woes

2016-10-15 Thread Ralf Weber
Moin! On 15 Oct 2016, at 10:22, Mikael Abrahamsson wrote: set up a domain with a algorithm ID nobody will ever implement (reserve it if need be), and check that this domain returns as unvalidated (as per SHOULD in the RFC). Geoff Houston did some research here some years ago and just did an