The Men & Mice Blog

DNSSEC monitoring tools

Posted by Dagmar Hilmarsdottir on 5/16/11 10:14 AM

Mr.Carsten Strotmann, one of Men & Mice Experts has created a list of tools that can help in verifying a DNSSEC signed zone.

Symptom: A newly DNSSEC signed zone should be monitored to detect potential DNSSEC validation issues before the zone goes public.

Problem: A DNSSEC signed zone is much more vulnerable to software errors and operational errors, a small misconfiguration can render the whole zone invalid.

Solution: Below is a list of tools that can help verifying a DNSSEC signed zone. DNSSEC verification can be done in different stages of DNSSEC zone deployment.

DNSSEC validation issues

Verisign jdnssec-tools

jdnssec-verifyzone: This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.

java-based
http://www.verisignlabs.com/dnssec-tools/


AFNIC ZoneCheck

a generic DNS zone checker, include some DNSSEC checks
can be augmented with other tools
delivers a solid framework for DNS checks 

ruby-based
http://www.zonecheck.fr/features.shtml


.SE dnssec-monitor

a small set of DNSSEC related tools .SE use for monitor DNSSEC-signed zones

perl-based
https://github.com/dotse/dnssec-monitor

SurfNet DNSSEC Checker

the DNSSEC Checker is a script that uses ubound-host and dnspython to verify DNSSEC information

python-based / unbound based
http://www.dnssecmonitor.org/source.php

YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.

perl-based
http://yazvs.verisignlabs.com/

Vantages D-Sync

"D-Sync" monitors the secure delegation state between a child zone's DNSKEY(s) and the parent zone's DS record(s) for that child.  D-Sync uses a state-engine to track consistency during DNSKEY rollovers and DS record updates and alerts operators to various events.

C++-based
http://www.vantage-points.org/index.html

NlNetLabs ldns-verify-zone (part of ldns)

ldns-verify-zone reads a DNS zone file and verifies it. RRSIG  resource  records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriate

C-based
http://www.nlnetlabs.nl/projects/ldns/


nagval

nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains

C-based
https://github.com/jpmens/nagval


Keychecker

Monitor and analyze DNSSEC key rollovers

python based
https://github.com/bortzmeyer/key-checker

OpenDNSSEC auditor

The OpenDNSSEC DNSSEC automation suite contains a module (the auditor) that checks the DNSSEC signed zone created by the OpenDNSSEC signer. The list of checks done by the auditor can be found at 
http://trac.opendnssec.org/wiki/Signer/AuditorRequirements

ruby-based
http://www.opendnssec.org/


OpenDNSSEC monitor

This project contains tools to monitor a DNSSEC-signed zone,
including a NAGIOS plug-in.

ruby-based
http://trac.opendnssec.org/wiki/Signer/MonitorRequirements

http://svn.opendnssec.org/trunk/monitor/


Do you know of any other DNSSEC monitoring tools that can help verifying a DNSSEC signed zone?

Topics: DNSSEC

Why follow Men & Mice?

The Men & Mice blog publishes educational, informational, as well as product-related material for everyone and anyone interested in IP Address Management, DNS, DHCP, IPv6, DNSSEC and more.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all