The SIDN Labs DNS workbench is a set of different nameservers that run a known set of configurations and zones; In general the goal is to be able to send a specific query to different implementations and see the difference in their responses, if any.
The idea behind the workbench is that, without having to set up an entire infrastructure yourself, you can quickly find answers to questions such as 'How does NSD4 respond to an ANY query for a wildcard name in an NSEC3 opt-out zone?' It can also be used to test different (validating) resolvers on their behaviour in certain circumstances.
Note: This is a work in progress. Server names, zone names and contents may change in the near future. If you see something you don't expect, always check these pages first.
At this moment, there are 5 name servers in the workbench, a number of different zones (currently, all servers are serving all zones, provided that we are able to load them into the name server).
Note that the zone names may change in the near future, as the naming conventions might be modified while we are adding scenarios.
If you see any problems with the workbench, or have any suggestions, please contact us (sidnlabs@sidn.nl). The workbench is available on GitHub.At this time, the DNS workbench offers the followings tests:
RR types: | Zonefiles with many different RRtypes, including obsolete and exotic ones, in a signed an an unsigned format. |
DNSSEC validator testing: | A DNS tree with deliberate errors in the DNSSEC chain(s), to test validating rrsolvers. |
Delegations: | A DNS tree with delegations. |
Transfers and TSIG: | Transfering and using/testing TSIG support. |
The biggest challenge here is not to set them up, but to make them consistent, predictable, and easily maintainable, currently we are looking into that.
types[-signed].wb.sidnlabs.nl won't AXFR from PowerDNS. | Could be a bug in PowerDNS - will investigate further. |
Yadifa parses zonefile incorrectly; the TTL is 60 (as in the RRSIG), not 3600. | TTL is 60, not 3600 (look carefully at dig +dnssec SOA txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl to reproduce. |
nods badzone is not really without a DS as it should be. This is because of a known, but not yet solved bug. | We are in the process of fixing this. UPDATE: might be fixed, now testing. |
Yadifa leaves out NSEC in reply. | Reproduce with: dig +dnssec A txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl . |
Yadifa tends to crash occasionally. | |
nsec3-opt-out.wb.sidnlabs.nl has some DNSviz errors. | Related to Yadifa crashes. |
No TSIG's on PowerDNS and Yadifa. | Not a bug, but a known issue and a 'todo'. Have to find some time for it. |
types[-signed].wb.sidnlabs.nl might have to be updated. | Not a bug either. Some newer RRtypes might have been defined, since we created that zone. Have to incorporate some of these new types maybe. Will look into that soon. |
Your issue here? | Just let us know! |