Author Topic: DNSSEC Test  (Read 346 times)

webernetz

  • Newbie
  • *
  • Posts: 8
    • Blog Webernetz.net
DNSSEC Test
« on: August 09, 2018, 05:36:47 PM »
One feature request: Could you add a check whether DNSSEC validation is performed by the DNS server that comes via DHCP? That is: The app should ask for two FQDNs that are signed, while one of them is valid and the other one is not.

For example (as used by the online text at https://dnssec.vs.uni-due.de/):
sigok.verteiltesysteme.net
sigfail.verteiltesysteme.net

If the DNS server is capable of DNSSEC, the first query should have the "ad" flag set in the DNS response (and should indicate a big green checkmark in the Pockethernet app), while the second query should return a "SERVFAIL" status code from the DNS server, since this specific FQDN has a malformed DNSSEC signature. This should also indicate a big green (!) checkmark in the app, since DNSSEC validation works correctly as it detected the malformed signature.

Otherwise (if neither the "ad" flag comes back, nor the malformed signature was detected) both tests should indicate a red sign.

Thanks a lot,
Johannes