[Opendnssec-user] Playing with 2.0.1

Mark Elkins mje at posix.co.za
Tue Aug 30 14:10:19 UTC 2016


I've been playing with OpenDNSSEC-2.0.1, compiled from scratch on a
Gentoo box. I have three virtual servers, server one is BIND with
unsigned zones - pretending to be the Zone Generator.
Server 3 is also running BIND - pretending to be a distribution master
or "Master" name server.
The Man in the middle (Bump on the wire) is running OpenDNSSEC and uses
the DNS Adapters. As this is all testing - all my timing values are
quite low. I'm using NSEC3, Opt-Out - etc.

Everything is humming along nicely.

I've written a simple shell script to check the consistency of the
signed zone vs the original unsigned zone. This is done by a "dig axfr"
of the before and after zones - followed by various tests.

a) I look for differences between signed and unsigned zones (after
removing DNSSEC Records)
b) I follow NSEC3 Chains - till I get back to the "start"
c) I make sure all secured delegations have NSEC3 records
d) I make sure that the signer is still re-signing by looking at the
expire time of the "nearest" RRSIG records, bringing into the picture
the current time and the values of Refresh and Resign...
If there is anything amiss - I get e-mail. So far, so good.
I disable the signer every day or so for about 10 minutes to make sure
the detection is working.

Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand
side of all zones (the name part, before the TTL). Can this modification
of data be switched off?

BIND-9.10 does not do that and I think it would be better behaviour if
OpenDNSSEC followed suit. I'm well aware that there is no functional
difference between DNS names with Upper and Lower case when looking them
up - but I don't think signing software should be fiddling with it.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4230 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160830/ede8a1a5/attachment.bin>


More information about the Opendnssec-user mailing list