Using Drill to validate signatures

Written by Rick van Rein in category: General, Procedures, Security, Technical

How can the Drill utility be used to ensure properly signed zones? When a zone encounters a problem, it is helpful to dig around in DNS, possibly probing the authoritatives directly to bypass validating resolvers. This will yield information, but not actually check signatures. The Drill utility is a replacement of Dig, and can actually […]

No Comments

Tools used for DNSSEC research

Written by Roland van Rijswijk in category: General, Technical, Users

During the course of the past year Gijs van den Broek has performed research on DNSSEC and UDP fragmentation for his M.Sc. thesis. His work is now finished and the tools he used to perform his research have been made available so others may reproduce his research or extend it. Read more about where to […]

No Comments

Researching UDP fragmentation issues

Written by Roland van Rijswijk in category: General

The last time we posted on this blog (earlier this year), we discussed issues we had encountered because of firewalls blocking IP fragments on port 53. At the moment, we have a student working on his master thesis who is researching this issue in detail and will investigate ways of mitigating this issue in situations […]

No Comments

Final report DNSSEC in SURFdomeinen

Written by Roland van Rijswijk in category: General

Today we published the Final report DNSSEC in SURFdomeinen describing our DNSSEC deployment. This will be the last post for a while on our DNSSEC deployment, we are going to continue later this year. In the mean time, I will try to post updates when I have interesting information available for instance about the validation […]

2 Comments

MTU woes and the merits of re-signing

Written by Roland van Rijswijk in category: General, Procedures

Two stories to learn from today… MTU woes I got some news last week that initially got me worried; several colleagues were experiencing DNS problems at home since our secure delegation had been made active (or so it seemed). They had big problems resolving names under the surfnet.nl domain. We mounted an investigation and it […]

No Comments

Now validatable: surfnet.nl

Written by Roland van Rijswijk in category: General

Just to let you all know: surfnet.nl is now fully validatable for the first time! A secure delegation has been added to the .nl zone which in turn now has a secure delegation in the root zone! Look at the dig statement below: the answer now has the ‘AD’ bit set to indicate that the […]

No Comments

Puzzle of the week, win a pie :-)

Written by Roland van Rijswijk in category: General, Users

I’ve created a new validation rate graph based on the statistics gathered on our resolvers. The data is up-to-date until week 43 (this week). The graph shows an interesting trend: In the graph you can see three lines representing three different resolver locations spread out across The Netherlands. What is interesting is that the validation […]

2 Comments

Validation rate growing week by week

Written by Roland van Rijswijk in category: General

All SURFnet’s DNS resolvers perform DNSSEC validation and we use the Cacti plug-in for Unbound to graph our nameserver statistics. This yields some interesting data since we can observe the DNSSEC validation rate. And that rate has been showing signs of significant growth since the root got signed. Let me first show you a snapshot […]

No Comments

User study results

Written by Roland van Rijswijk in category: General, Users

One of the goals of our project was to perform a user study among our constituency (higher education, academia and research) to find out what the interest in DNSSEC is in our community. We finished this study in August and have just published the results which are quite interesting, quite a number of respondents to […]

No Comments

Why .us fails to validate for some (and algorithm rollovers are hard)

Written by Roland van Rijswijk in category: General, Resilience

If you perform DNSSEC validation on your resolver you may have noticed lots of validation failures for the .us top-level domain since yesterday or early today (depending on the content of your cache). You’re probably wondering why this happens and what you can do about. Here’s a short explanation. The maintainers of the .us domain […]

No Comments