Help & Documentation

All sections / {current.section.title} / {current.chapter.title} / {current.topic.title} / {current.title} / {current.title} / {current.title} / {current.title}

DNSSEC Full Validation


Functional overview

This test aims to confirm whether resolvers are resolving requests for domain names with DNS zones signed with DNSSEC and with valid matching Registrar DS records for a range of different algorithm / key strength values. 

A successful test outcome would be registered if for a configured A record, requests for both the A record and a matching DNSKEY request for the domain name are received from the resolver and the resulting HTTP request is made successfully.


Implementation

In order to track unique requests and avoid caching issues the Client Side Website Toolkit (CSWT) will send HTTP requests of the format 

UUID.DOMAIN_NAME 

Where the UUID is generated uniquely for each request.  The SSCRT configures the DNS zone for the domain name with a wildcard IPv4 A record and sets up a wildcard SSL cert and matching web server virtual host for *.DOMAIN_NAME.   The zone is then signed using the algorithm under test and a matching DS record is generated for use bu 

After observing a DNS request for the full A record (including UUID prefix) the SSCRT will then seek to find a matching DNSKEY query for DOMAIN_NAME and a valid HTTP request for the full record (including UUID prefix).  If these criteria are met the test will be recorded as Successful.


Configuring test sessions

Before creating a DNSSEC test session for a domain it is essential that all DS records are removed at the registrar for that domain to ensure a clean environment. 

DNSSEC test sessions are configured using the test key dnssec which should be supplied when creating new sessions on the SSCRT along with an algorithm and optional key strength e.g.

resolvertest install dnssec example.com ALGORITHM KEYSTRENGTH

ALGORITHM is one of  2,3,5,6,7,8,10,12,13,14,15,16

KEYSTRENGTH is optional and defaults to a sensible numeric value for a given algorithm but can be overridden if required - e.g. 1024, 2048

In order to complete configuration for DNSSEC tests it is necessary to add DS records to the domain registrar for the domain.  Instructions for this will be printed at the end of the install process for the test but can also be viewed later by reviewing the Additional Info column for the test returned using the list command 

resolvertest list


Tests can be invoked using the CSWT.

e.g.

let test = new ResolverCapabilityTest(“dnssec”, “example.com”);    

Log format

The log output for DNSSEC tests will contain the following distinct fields:


id - A unique numerical id for the log entry

date - The date and time of the combined log entry.

status - Either “Success” or “Failed” depending upon whether the client resolver correctly requested DNSSEC records and routed the resulting request.

dnsResolutionTime1 - The date and time that an A record DNS query was received for UUID.DOMAIN_NAME

dnsResolvedHostname1 -should generally be set to UUID.DOMAIN_NAME

dnsClientIpAddress1 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.

dnsResolverQuery1 - The full query string made by the resolver for the resolution of the A record DNS query for UUID.DOMAIN_NAME

dnsResolutionTime2 - The date and time that a DNSKEY record DNS query was received for DOMAIN_NAME

dnsResolvedHostname2 -should be set to DOMAIN_NAME

dnsClientIpAddress2 - The IPv4 address of the client resolver or the /24 depending upon the configured privacy setting in the SSCRT.

dnsResolverQuery2 - The full query string made by the resolver for the resolution of the DNS record DNSKEY query for DOMAIN_NAME

webServerRequestTime1 - The date and time that the HTTP request was made for UUID.DOMAIN_NAME if successful

webServerRequestHostname1- This will be set to UUID.DOMAIN_NAME if an HTTP request was received

webServerClientIpAddress1- The IPv4 address of the client machine (web browser) or the /24 depending upon the configured privacy setting in the SSCRT if this request was made.  

webServerResponseCode1 - The HTTP response code returned from the web server - generally should be 200 if the request was received

Top
DNSRF Corporate Logo - words and line shorter version
Search
{item._type | case 'page' 'Web page' 'blog/blog' publication 'adnewsfeed/news' 'News' 'docs/article' 'Docs'}{item.section.title} / {item.chapter.title} / {item.topic.title}  | {category.title}
{item.publishDate | date 'DD MMM YYYY' | append ': '}