Hi guys

What is the way we do tests of DNSSEC? I have got all the setup in place but would like to implement a test plan for it before going live as I do not want to risk screwing up our production DNS servers.

I would appreciate your help

Many thanks in advance

Del

...and the first three hits in Google for "how do you test DNSSEC" are:

http://dnssec-debugger.verisignlabs.com/
https://docs.menandmice.com/display/...SEC+validation
http://dnssec.vs.uni-due.de/

...among MANY others. Since you don't provide details, there isn't much we can tell you.

Many thanks TB0ne
I was thinking the test by using a test DNS server in a lab or something like that using Ubuntu/Debian without having the touch the production DNS server
cheers

Indeed, you can setup a couple of test DNS servers to try to sign your DNS records; and you can actually check the results with the dig command.

What I recommend it mostly to test how to maintain your DNS server alive: signatures need to be refreshed over time (depending on your policy) and that is a critical operation that must be tested in advance (you can search for "DNSSEC key roll-over" for more details about this). There is even some software dedicated to that task.

Then when you have a validated system, you can implement the same thing in production.

1 members found this post helpful.

Thanks very much Ellendhel

We have our DNS server that is authoritative for internal requests and caching only for external requests. In other words, we do not get our DNS records queried from the outside we just use it for querying externally can we still configure DNSSEC?

Many thanks

So, there is two different things:

- Having your DNS records on your authoritative server signed, to provide DNSSEC to everybody (not only your organization, but all people on the Internet as well). This what I was referring to in my previous message.

- Having an internal DNS server able to manage DNSSEC request for your clients, so you can check records from other domains.

I'm not sure what your request is, if it's for one or the other.

Signing your zone with DNSSEC requires preparation, planning, testing and training. BIND is probably the software that you will use for this.

Using a DNS resolver able to check signature validity is way more easier. You can use BIND or Unbound for that purpose (again, with some planning and testing in advance) and then configure all your clients to use that server (usually this is done with your DHCP server).

If you have only one DNS server doing everything (being the authority and acting as a resolver for the clients) I would recommend to split this between two different servers first, if possible.

Thanks for your feedback Ellendhel

Our DNS server is authoritative only inside our organisation and our DNS records are not queried from the internet. It is not a public facing DNS server, however we use this DNS server to query externally. My question is can we still configure DNSSEC in this kind of configuration?

Yes, as you are using your server for both the 'authoritative' and the 'resolver' functions, you can enable DNSSEC for the 'resolver' function only.

If you are using BIND, you can look at the page listed below:

Bind Authoritative Caching DNS with DNSSEC - Calomel.org

This is for an OpenBSD server, but except for the location of some files, things will be the same on a Linux server.

Thank you very much for your help Ellendhel. I will keep doing research. Cheers