On Mar 16, 2010, at 11:39 AM, Niobos wrote:
On 2010-03-16 15:57, prock...@yahoo.com wrote:
I'm trying to figure out how many tests I need to run for an
individual product (layer 2, 3, 4, and 7) before I can say it is
completely DNSSEC compliant.
By definition, any layer 2, 3 and 4 product is DNSSEC-agnostic:
Well, yes, kinda.
Unfortunately there are a large number of things like firewalls and
consumer CPE that folks think of as layer 3/4 devices, but that do
silly things like assume DNS is only UDP, or max out at 512 bytes or
force DNS proxy mode.
While we could argue for hours abut whether they are really only l3/l4
devices, it wouldn't change the fact that folks think of them as
"routers".
ICANN SSAC / CORE released a report a while back: http://www.icann.org/en/committees/security/sac035.pdf
and I know that I have seen a bunch of other more recent tests.
W
DNS with
or without SEC-extension is considered payload. If a L2,3 or 4 devices
does work with DNS and doesn't work with DNSSEC, it's broken and needs
replacement. For completeness: switches and routers are layer 2 and 3
respectively.
Layer 7 devices might be affected, since they may preform extensive
checking on the DNS-content itself.
To answer your question: 0 tests for layer 2, 3 and 4. To be
"completely
compliant", you'd need to run an infinite number of tests for layer 7
devices. I'd test the different algorithms, including some very recent
(RSASHA512) and different security statuses (bogus, insecure, secure).
Niobos
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
"Beware that the most effective way for someone to decrypt your data
may be with rubber hose." --- SSH 1.2.12 README
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
