[Opendnssec-user] DNSSEC zone pre-deployment checks

Carsten Strotmann (Men & Mice) carsten.strotmann at menandmice.com
Fri Mar 25 10:55:02 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello OpenDNSSEC community,

in the light of the recent DNSSEC failures at some TLDs I've started to
collect a list of checks that should be applied to a DNSSEC signed zone
before it is deployed on a public authoritative server.

OpenDNSSEC includes the Auditor, but I couldn't find any documentation
about the individual checks the Auditor does to a signed zone other than
reading the source (what I then did).

It would be useful for the DNSSEC community to have a 'best practice'
document that lists the 'what can go wrong and how to test' for a DNSSEC
zone.

I started this list below, but it is incomplete at the moment. Some
assumptions might be wrong.

I would appreciate any feedback and additions to this list. The final
list will be made public for anyone to use.

- -----(snip)-----

DNSSEC zone "pre-flight" checks

* Completeness
** check that all RRs records from the unsigned zone appear in the
signed zone
** check that all public DNSKEY records appear in the zone (all
published ZSK/KSK)

* Keys
** check that zone has an active ZSK
** check that zone has an active KSK
** check then keys have correct algorithm
** check that keys have correct length

* Signatures
** check that every authoritative RR have RRSIG records created by all
active ZSK
** check that the DNSKEY RRs have RRSIG records created by all active KSK
** check that all signatures are inside their lifetime
** check that all signatures have enough lifetime left (depends on RRSIG
lifetimes)
** check that the algorithm used for RRSIG matches the defined algorithm
for this zone
** check that delegations are not signed

* Chain of trust
** check that all active KSKs have a matching DS record in the parent
** check that all DS records in the parent match an active KSK in the zone

* NSEC/NSEC3
** check that every RR-Set has an NSEC/NSEC3 (if not in opt out)
** check that NSEC3 records match the NSEC3PARAM values
** check that the NSEC/NSEC3 chain is unbroken
** check that TTLs of NSEC/NSEC3 match
** check that DNSKEY algorithm matches NSEC/NSEC3
** check that only one NSEC3PARAM RR exist for NSEC3
** if zone contains NSEC3 records, check that NSEC3PARAM RR exist
** each NSEC3 RR in the zone should use the same salt and iterations

DNSSEC post-deployment check

* Completeness
** check that deployed (published) zone matches the "pre-fligh" zone
** check that zone validates from a trust-anchor down

- -----(snip)-----

Best regards

Carsten Strotmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2MdIYACgkQElgUYvSqn/Q3FwCgkIWRfGcwX0bEAGGbLCX2KtoY
EooAnjLOtZb7IvjYv7vE2yTqxziabeNa
=ASoa
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list