[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[dnsext] Report on NSEC3 interop workshop during IETF73

To: namedroppers@ops.ietf.org
Subject: [dnsext] Report on NSEC3 interop workshop during IETF73
From: Joao Damas <Joao_Damas@isc.org>
Date: Fri, 5 Dec 2008 14:41:31 +0100

[ Moderators note: Post was moderated, either because it was posted by
  a non-subscriber, or because it was over 20K.
  With the massive amount of spam, it is easy to miss and therefore
  delete relevant posts by non-subscribers.
  Please fix your subscription addresses. ]

AS some of you may be aware, we got together a few people involved inthe production of software support NSEC3 as well as some registrypeople and put all the implementations we knew and had at hand againsteach other.


Below is the report of this activity

Joao Damas
ISC



NSEC3 interoperability workshop
Minneapolis, Minnesota, USA
17 December 2008


Participants
============
Local
-----
Joe Gersch - Secure64
Jelte Jansen - NLNetLabs
Rob Austein - ISC
Mark Andrews - ISC
João Damas - ISC
Roy Arends - Nominet
Shane Kerr - Afilias
Frederico Neves - Registro.br
Hugo Koji Kobayashi - Registro.br

Remote
------
Wouter Wijngaards - NLNetLabs
Matthijs Mekking - NLNetLabs


Goals
=====

Test available implementations of NSEC3 DNSSEC software, both signers/authoritative servers and validating resolvers


Implementations present
=======================
- BIND 9.6.0rc1
- NSD
- Secure64
- Registro.br (NSEC3 signer only, no validator)
- unbound
- ldns (signer)


Tests undertaken
================

AXFR/IXFR in both directions between all implementations present.registro.br as source only


Initial test zone
sec3.br zone. Registro.br
All servers transferred production sec3.br zone correctly.


Same tests using the RFC example zone to introduce tests using opt-out.
=======================

transfer from BIND to NSD
 axfr tested OK. Zones on both servers are equal
 ixfr tested OK. Zones on both servers are equal

transfer from BIND to secure64
 axfr tested OK. Zones on both servers are equal
 ixfr tested OK. Zones on both servers are equal

transfer from NSD to BIND
 axfr tested OK. Zones on both servers are equal
 ixfr NOTIMPL. Fallback to AXFR

transfer from NSD to secure64
 axfr tested OK. Zones on both servers are equal
 ixfr NOT IMPL. Fallback was not working. Forced AXFR worked OK.

transfer from secure64 to NSD
 axfr tested OK, including fallback to AXFR from IXFR

transfer from secure64 to BIND
 axfr tested OK. Zones on both servers are equal
 ixfr tested OK. Zones on both servers are equal

Validation
==========

Unbound, drill, BIND

Queries tested
--------------
Query for existing RR
Query for non-existing RR
Query for non-existing RR in an opt-out range
Query for non-existing RR without opt-out
Query for existing RR with invalid signature

* BIND vs BIND
   validate OK for the 5 queries

* BIND vs Secure64
   validate OK for the 5 queries

* Unbound vs BIND
   validate OK for the 5 queries

* Unbound vs NSD
   validate OK for the 5 queries

* Unbound vs Secure64 cache
   all 5 queries OK

* Drill vs BIND cache
   validate OK for the 5 queries


Issues discovered
=================

All 3 signers were adding an RRSIG bit to the NSEC3 bitmap in insecuredelegations. Doesn't cause operational problems other than a biggerthan necessary NSEC3. ALl vendors committed to fixing in next releases.

Secure64 pointed to an inconsistency in RFC 5155, already addressed byone of the authors in a communication to the IETF DNS Extensions WG.



--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: [dnsext] errata 4034 - 5011
Next by Date: Re: [dnsext] errata 4034 - 5011
Previous by thread: [dnsext] I-D Action:draft-ietf-dnsext-dnssec-rsasha256-09.txt
Next by thread: [dnsext] Publication request for draft-ietf-dnsext-dnssec-rsasha256-09.txt
Index(es):
- Date
- Thread