Unlocking the Full Potential of DNS Troubleshooting
The recording and slides are available here.
nsec3-iter-*
) are now RFC 9276 compliant, meaning they are using 0 additional iterations and no saltThe recording of the IRTFOPEN session available here.
The recording is available here.
It will be presented later this year in Vancouver during IETF 120.
This (extended-dns-errors.com
) domain name has 52 subdomains with various misconfigurations or corner cases. Feel free to query those to check how your recursive resolver behaves when faced with erroneous domains. All the configuration instructions are provided on GitHub:
Subdomain | Configuration |
---|---|
valid | The correctly configured control domain |
unsigned | The domain name is not signed with DNSSEC |
allow-query-none | Nameserver does not accept queries for the subdomain |
allow-query-localhost | Nameserver only accepts queries from the localhost |
no-ds | The subdomain is correctly signed but no DS record was published at the parent zone |
ds-bad-tag | The key tag field of the DS record at the parent zone does not correspond to the KSK DNSKEY ID at the child zone |
ds-bad-key-algo | The algorithm field of the DS record at the parent zone does not correspond to the KSK DNSKEY algorithm at the child zone |
ds-unassigned-key-algo | The algorithm value of the DS record at the parent zone is unassigned (100 ) |
ds-reserved-key-algo | The algorithm value of the DS record at the parent zone is reserved (200 ) |
ds-unassigned-digest-algo | The digest algorithm value of the DS record at the parent zone is unassigned (100 ) |
ds-bogus-digest-value | The digest value of the DS record at the parent zone does not correspond to the KSK DNSKEY at the child zone |
rrsig-exp-all | All the RRSIG records are expired |
rrsig-exp-a | The RRSIG over A RRset is expired |
rrsig-not-yet-all | All the RRSIG records are not yet valid |
rrsig-not-yet-a | The RRSIG over A RRset is not yet valid |
rrsig-exp-before-all | All the RRSIG s expired before the inception time |
rrsig-exp-before-a | The RRSIG over A RRset expired before the inception time |
rrsig-no-all | All the RRSIG s were removed from the zone file |
rrsig-no-a | The RRSIG over A RRset was removed from the zone file |
no-rrsig-ksk | The RRSIG over KSK DNSKEY was removed from the zone file |
no-rrsig-dnskey | All the RRSIG s over DNSKEY RRsets were removed from the zone file |
bad-nsec3-hash | Hashed owner names were modified in all the NSEC3 records |
bad-nsec3-next | Next hashed owner names were modified in all the NSEC3 records |
bad-nsec3param-salt | The salt value of the NSEC3PARAM resource record is wrong |
bad-nsec3-rrsig | RRSIG s over NSEC3 RRsets are bogus |
nsec3-missing | All the NSEC3 records were removed from the zone file |
nsec3-rrsig-missing | RRSIG s over NSEC3 RRsets were removed from the zone file |
nsec3param-missing | NSEC3PARAM resource record was removed from the zone file |
no-nsec3param-nsec3 | NSEC3 and NSECPARAM resource records were removed from the zone file |
no-zsk | The ZSK DNSKEY was removed from the zone file |
bad-zsk | The ZSK DNSKEY resource record is wrong |
no-ksk | The KSK DNSKEY was removed from the zone file |
bad-rrsig-ksk | The RRSIG over KSK DNSKEY is wrong |
bad-ksk | The KSK DNSKEY is wrong |
bad-rrsig-dnskey | All the RRSIG s over DNSKEY RRsets are wrong |
no-dnskey-256 | The Zone Key Bit is set to 0 for the ZSK DNSKEY |
no-dnskey-257 | The Zone Key Bit is set to 0 for the KSK DNSKEY |
no-dnskey-256-257 | The Zone Key Bit is set to 0 for both the KSK DNSKEY and ZSK DNSKEY |
bad-zsk-algo | The ZSK DNSKEY algorithm number is wrong |
unassigned-zsk-algo | The ZSK DNSKEY algorithm number is unassigned (100 ) |
reserved-zsk-algo | The ZSK DNSKEY algorithm number is reserved (200 ) |
ed448 | The zone is signed with ED448 algorithm |
v6-doc | The AAAA glue record at the parent zone is from the documentation range |
v4-doc | The A glue record at the parent zone is a documentation address |
dsa | The zone is signed with DSA algorithm |
rsamd5 | The zone is signed with RSAMD5 algorithm |
not-auth | Given nameservers are not authoritative for this domain |
nsec3-iter-1 | NSEC3 iteration count is set to 1 |
nsec3-iter-51 | NSEC3 iteration count is set to 51 |
nsec3-iter-101 | NSEC3 iteration count is set to 101 |
nsec3-iter-151 | NSEC3 iteration count is set to 151 |
nsec3-iter-200 | NSEC3 iteration count is set to 200 |
If you want to find out more about this project or have an interesting misconfiguration in mind, please contact me at yevheniya.nosyk@korlabs.io.