[sf-lug] dnsviz (http://dnsviz.net/) & (bit of) DNSSEC (was: Re: sf-lug.net & sf-lug.com ready for DNS delegation & slaves, etc.)

Mon Sep 16 21:48:24 PDT 2019

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] sf-lug.net & sf-lug.com ready for DNS  
> delegation & slaves, etc.
> Date: Fri, 13 Sep 2019 18:00:23 -0700

> I am not familiar with dnsviz.  dig, whois, and host are still my
> Kung-Fu.  (Michael is welcome to plug for the new thingie.)

dnsviz (http://dnsviz.net/) is a lovely DNSSEC visualization tool -
very handy for (mostly) checking that DNSSEC is set up properly and working,
and does some DNS checks too.  It's by no means a full check of
everything, or even everything DNSSEC, but it's typically highly
useful at spotting most common DNSSEC issues.
E.g. use http://dnsviz.net/ on some various domains (e.g. sf-lug.org,
linuxmafia.com, google.com, ...) - see who does & doesn't have
DNSSEC, what kinds of keys/delegation, if/where things are
broken out there (I think there are some example intentionally
broken ones out there for demonstration/test purposes).

I think it mostly does a top-down check of delegation/signing
and such; it may not check *all* authoritative servers, protocols,
flags, etc.  But it is highly handy for quickly often seeing
where specific DNSSEC problems are.

As for a more thorough checking - probably use delv(1),
which is ISC BIND9's successor tool to dig(1), and *mostly*
backwards compatible with dig(1) ... through there are many
subtle differences and (mostly modest(ish?) variations in
syntax.
delv is also designed/engineered to do thing much more like resolver
generally does so, so, at least in theory, it should be better at
isolating/replicating/detecting issues - and especially more
oddball/rare/funky/finicky ones.  delv is also excellent for
testing/diagnosing DNSSEC issues and testing thereof - much better at
that and more capable than dig.  One would do well to start to get
used to / familiar with delv ... though many distributions/versions
out there still have dig, rather than delv (of course one can also
have both).
Oh, and delv is also highly handy for checking your DNSSEC *before*
you take the final steps to activate it - and that's a *really good
thing*.  Why?  Because if one *improperly* activates it, one can
effectively blow one's DNS out of the water - essentially saying,
hey, you using DNSSEC?  Great, only trust us if we're properly signed,
here's our signing stuff and ... we f*cked it up, don't trust us at all,
reject our DNS and hang onto and cache that data for quite a nice long
time - yeah, ... best to avoid doing that.  Test first - delv well lets
you set your DNSSEC on your server before you do the DS delegation bit
to make it go "live" - that's essentially when you have the parent
say how your DNSSEC will be signed - and with DNSSEC, to not trust it
if it's not so signed.

Also, since dig has been around and de facto tool for quite a while,
I think the general dig-->delv transition will be a relatively
long one - I'd expect *both* to be and hang around for quite some
while.  Uh, ... can we get rid of nslookup already?  :-}  Or at least
banish its use?  It is grossly inferior to even dig.