It SHOULD take a couple of days only. There MAY be unexpected delays.
The recording and slides are available here.
nsec3-iter-*
) are now RFC 9276 compliant, meaning they are using 0 additional iterations and no saltThe recording of the IRTFOPEN session available here.
The recording is available here.
It will be presented later this year in Vancouver during IETF 120.
This domain — extended-dns-errors.com
— contains 68 subdomains, each showcasing different misconfigurations or edge cases. You're welcome to query them to observe how your recursive resolver handles erroneous DNS scenarios. Configuration instructions are available on GitHub. You can also access the text file with all the domains here.
These two domains are correctly configured.
valid | DNSSEC-signed subdomain |
unsigned | Unsigned subdomain |
The full list of Domain Name System Security (DNSSEC) Algorithm Numbers is maintained by IANA. Note that some MUST NOT be used for zone signing and validation, others are RECOMMENDED, MAY, etc.
rsamd5 | DNSSEC algorithm number 1 (RSAMD5) |
dsa | DNSSEC algorithm number 3 (DSA) |
rsasha1 | DNSSEC algorithm number 5 (RSASHA1) |
dsa-nsec3-sha1 | DNSSEC algorithm number 6 (DSA-NSEC3-SHA1) |
rsasha1-nsec3-sha1 | DNSSEC algorithm number 7 (RSASHA1-NSEC3-SHA1) |
rsasha256 | DNSSEC algorithm number 8 (RSASHA256) |
rsasha512 | DNSSEC algorithm number 10 (RSASHA512) |
ecdsap256sha256 | DNSSEC algorithm number 13 (ECDSAP256SHA256) |
ecdsap384sha384 | DNSSEC algorithm number 14 (ECDSAP384SHA384) |
ed25519 | DNSSEC algorithm number 15 (ED25519) |
ed448 | DNSSEC algorithm number 16 (ED448) |
The Guidance for NSEC3 Parameter Settings (RFC 9276) states that "if NSEC3 must be used, then an iterations count of 0 MUST be used to alleviate computational burdens". Only the first domain below complies with this requirement.
nsec3-iter-0 | The number of additional iterations is 0 |
nsec3-iter-1 | The number of additional iterations is 1 |
nsec3-iter-50 | The number of additional iterations is 50 |
nsec3-iter-100 | The number of additional iterations is 100 |
nsec3-iter-150 | The number of additional iterations is 150 |
nsec3-iter-200 | The number of additional iterations is 200 |
nsec3-iter-500 | The number of additional iterations is 500 |
nsec3-iter-1000 | The number of additional iterations is 1000 |
nsec3-iter-1500 | The number of additional iterations is 1500 |
nsec3-iter-2000 | The number of additional iterations is 2000 |
nsec3-iter-2500 | The number of additional iterations is 2500 |
The full list of DNSSEC Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms is maintained by IANA. Note that some MUST NOT be used anymore, others are RECOMMENDED, MAY, etc.
no-ds | The subdomain is correctly signed but no DS record was published at the parent zone |
ds-bad-tag | The key tag value is set to 00000 |
ds-bad-key-algo | The algorithm value is changed from 8 to 7 |
ds-unassigned-key-algo | The algorithm value is changed from 8 to 100 |
ds-reserved-key-algo | The algorithm value is changed from 8 to 200 |
ds-unassigned-digest-algo | The digest type value is changed from 2 to 100 |
ds-bogus-digest-value | The digest value is computed from the "I am not a real DNSKEY digest" string |
DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (RFC 5155) describes the inner workings of NSEC3.
no-nsec3 | All the NSEC3 records were removed from the zone file |
no-nsec3-rrsig | RRSIGs over NSEC3 resource records were removed from the zone file |
no-nsec3param | NSEC3PARAM resource record was removed from the zone file |
no-nsec3param-nsec3 | NSEC3 and NSECPARAM resource records were removed from the zone file |
bad-nsec3-hash | Hash parts of the owner names are computed from "I am not a real hash" string |
bad-nsec3-next | Next hashed owner names are computed from "I am not a real hash" string |
bad-nsec3-rrsig | RRSIGs over NSEC3 RRsets are bogus |
bad-nsec3param-salt | The salt value of the NSEC3PARAM resource record is changed from - to 1 |
Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record.
no-zsk | The Zone Signing Key was removed |
no-ksk | The Key Signing Key was removed |
no-dnskey | Both DNSKEYs were removed |
bad-zsk | The Zone Signing Key is wrong |
bad-ksk | The Key Signing Key is wrong |
no-dnskey-rrsig | RRSIGs over DNSKEY resource records were removed |
bad-dnskey-rrsig | RRSIGs over DNSKEY resource records are bogus |
no-dnskey-256 | The zone key bit of the Zone Signing Key is set to 0 |
no-dnskey-257 | The zone key bit of the Key Signing Key is set to 0 |
no-dnskey-256-257 | The zone key bits of both DNSKEYs are set to 0 |
bad-zsk-algo | The algorithm field of the ZSK is set to 7 |
bad-ksk-algo | The algorithm field of the KSK is set to 7 |
unassigned-zsk-algo | The algorithm field of the ZSK is set to 100 |
unassigned-ksk-algo | The algorithm field of the KSK is set to 100 |
reserved-zsk-algo | The algorithm field of the ZSK is set to 200 |
reserved-ksk-algo | The algorithm field of the KSK is set to 200 |
Check Resource Records for the DNS Security Extensions (RFC 4034) for the format of this resource record.
no-rrsig-all | All the RRSIGs were removed |
no-rrsig-a | The RRSIG over the A RRset was removed |
rrsig-exp-all | All the RRSIGs expired one minute after the inception |
rrsig-exp-a | The RRSIG over the A RRset expired one minute after the inception |
rrsig-exp-before-all | All the signatured had expired before the inception |
rrsig-exp-before-a | The RRSIG over the A RRset expired before the inception |
rrsig-not-yet-all | All the RRSIGs will be valid in one year |
rrsig-not-yet-a | The RRSIG over the A RRset will be valid in one year |
As per RFC 1713, a lame delegation "happens when a name server is listed in the NS records for some domain and in fact it is not a server for that domain".
allow-query-none | The nameserver does not accept queries for a subdomain |
allow-query-localhost | The nameserver only accepts queries from a localhost |
v4-doc | The nameserver IP is set to a documentation IPv4 address |
v6-doc | The nameserver IP is set to a documentation IPv6 address |
not-auth | The nameserver does not serve this subdomain |
If you want to find out more about this project or have an interesting misconfiguration in mind, please contact me at yevheniya.nosyk@korlabs.io.