powerdns.bind9.powerdns.delegations.wb.sidnlabs.nl Open in urlscan Pro
2a00:d78:0:712:94:198:159:39  Public Scan

Form analysis
0 forms found in the DOM

Text Content

SIDN LABS DNS WORKBENCH - MAIN MENU

Sections: Main | RRtypes | DNSSEC validator testing | Delegations | Transfers
and TSIG


The SIDN Labs DNS workbench is a set of different nameservers that run a known
set of configurations and zones; In general the goal is to be able to send a
specific query to different implementations and see the difference in their
responses, if any.

The idea behind the workbench is that, without having to set up an entire
infrastructure yourself, you can quickly find answers to questions such as 'How
does NSD4 respond to an ANY query for a wildcard name in an NSEC3 opt-out zone?'
It can also be used to test different (validating) resolvers on their behaviour
in certain circumstances.

Note: This is a work in progress. Server names, zone names and contents may
change in the near future. If you see something you don't expect, always check
these pages first.

At this moment, there are 5 name servers in the workbench, a number of different
zones (currently, all servers are serving all zones, provided that we are able
to load them into the name server).

Note that the zone names may change in the near future, as the naming
conventions might be modified while we are adding scenarios.

If you see any problems with the workbench, or have any suggestions, please
contact us (sidnlabs@sidn.nl). The workbench is available on GitHub.


SERVERS

The following servers, all open source, are currently running (for now all as
Ubuntu 22.04 packages, except for Yadifa, because of bugs that made it crash
often):
 * bind9.sidnlabs.nl (BIND 9.18.1)
   * IPv4: 94.198.159.39
   * IPv6: 2a00:d78::712:94:198:159:39
 * knot.sidnlabs.nl (Knot 3.1.6)
   * IPv4: 94.198.159.27
   * IPv6: 2a00:d78::712:94:198:159:27
 * nsd4.sidnlabs.nl (NSD 4.3.9)
   * IPv4: 94.198.159.33
   * IPv6: 2a00:d78::712:94:198:159:33
 * powerdns.sidnlabs.nl (PowerDNS 4.5.3 with SQLite3 backend)
   * IPv4: 94.198.159.26
   * IPv6: 2a00:d78::712:94:198:159:26
 * yadifa.sidnlabs.nl (Yadifa 2.6.3-10860)
   * IPv4: 94.198.159.28
   * IPv6: 2a00:d78::712:94:198:159:28

At this time, the DNS workbench offers the followings tests:

RR types: Zonefiles with many different RRtypes, including obsolete and exotic
ones, in a signed an an unsigned format. DNSSEC validator testing: A DNS tree
with deliberate errors in the DNSSEC chain(s), to test validating rrsolvers.
Delegations: A DNS tree with delegations. Transfers and TSIG: Transfering and
using/testing TSIG support.

There are also a few other zones: apexcname.wb.sidnlabs.nl,
nsec3-opt-out.wb.sidnlabs.nl and wildcards-nsec3.wb.sidnlabs.nl that don't fit
in any of the categories and where added as per request.


ROADMAP

We intend to continually expand the workbench with different scenarios as we
come up with them. A few short-term goals:
 * ✔ Add delegations between the different servers
 * ✔ Add zones (or names) with other 'things' than rr types (wildcards, empty
   non-terminals, etc.)
 * Add more scenarios to the deliberately broken DNSSEC zones
 * Add zones with different signing parameters (like newer algorithms such as
   Ed25519
 * ✔ (but ongoing) Add even more RRtypes
 * Something with IDN's
 * Add zones signed with different signers
 * [Your proposal here!]

The biggest challenge here is not to set them up, but to make them consistent,
predictable, and easily maintainable, currently we are looking into that.


KNOWN ISSUES

We are aware of a number of issues and hope to work on them soon. If you find
more, just let us know.

types[-signed].wb.sidnlabs.nl won't AXFR from PowerDNS. Could be a bug in
PowerDNS - will investigate further. Yadifa parses zonefile incorrectly; the TTL
is 60 (as in the RRSIG), not 3600. TTL is 60, not 3600 (look carefully at dig
+dnssec SOA txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl to
reproduce. nods badzone is not really without a DS as it should be. This is
because of a known, but not yet solved bug. We are in the process of fixing
this. UPDATE: might be fixed, now testing. Yadifa leaves out NSEC in reply.
Reproduce with: dig +dnssec A txt.ent.wildcards-nsec3.wb.sidnlabs.nl
@yadifa.sidnlabs.nl. Yadifa tends to crash occasionally. A systemd drop-in now
automatically restarts it, but this doesn't solve the underlying problem.
UPDATE: reported to developers and appearantly fixed in 2.3.9-8497, which we are
now testing. nsec3-opt-out.wb.sidnlabs.nl has some DNSviz errors. Related to
Yadifa crashes. No TSIG's on PowerDNS and Yadifa. Not a bug, but a known issue
and a 'todo'. Have to find some time for it. types[-signed].wb.sidnlabs.nl might
have to be updated. Not a bug either. Some newer RRtypes might have been
defined, since we created that zone. Have to incorporate some of these new types
maybe. Will look into that soon. Your issue here? Just let us know!

--------------------------------------------------------------------------------

DISCLAIMER

This is a beta service, provided to you by SIDN Labs on a best effort basis. Its
setup can change at any moment, without prior warning. It is not advisable to
depend on this service for any (automated) service or system without consulting
us beforehand. If you encounter any problems with the software or service, feel
free to contact us at: SIDN Labs, the R&D team of SIDN. We would also be very
much interested if you have used the workbench, or if you are still missing
something that would make it useful for you. So please let us know!




--------------------------------------------------------------------------------

Sections: Main | RRtypes | DNSSEC validator testing | Delegations | Transfers
and TSIG