SIDN Labs DNS Workbench - Main menu

The SIDN Labs DNS workbench is a set of different nameservers that run a known set of configurations and zones; In general the goal is to be able to send a specific query to different implementations and see the difference in their responses, if any.

The idea behind the workbench is that, without having to set up an entire infrastructure yourself, you can quickly find answers to questions such as 'How does NSD4 respond to an ANY query for a wildcard name in an NSEC3 opt-out zone?' It can also be used to test different (validating) resolvers on their behaviour in certain circumstances.

Note: This is a work in progress. Server names, zone names and contents may change in the near future. If you see something you don't expect, always check these pages first.

At this moment, there are 5 name servers in the workbench, a number of different zones (currently, all servers are serving all zones, provided that we are able to load them into the name server).

Note that the zone names may change in the near future, as the naming conventions might be modified while we are adding scenarios.

If you see any problems with the workbench, or have any suggestions, please contact us (sidnlabs@sidn.nl). The workbench is available on GitHub.

Servers

The following servers, all open source, are currently running (for now all as Ubuntu 18.04 packages, except for Yadifa, because of bugs that made it crash often):
  • bind9.sidnlabs.nl (BIND 9.11.3)
    • IPv4: 94.198.159.39
    • IPv6: 2a00:d78::712:94:198:159:39
  • knot.sidnlabs.nl (Knot 2.6.5)
    • IPv4: 94.198.159.27
    • IPv6: 2a00:d78::712:94:198:159:27
  • nsd4.sidnlabs.nl (NSD 4.1.17)
    • IPv4: 94.198.159.33
    • IPv6: 2a00:d78::712:94:198:159:33
  • powerdns.sidnlabs.nl (PowerDNS 4.1.1 with SQLite3 backend)
    • IPv4: 94.198.159.26
    • IPv6: 2a00:d78::712:94:198:159:26
  • yadifa.sidnlabs.nl (Yadifa 2.3.7 2.3.9-8497)
    • IPv4: 94.198.159.28
    • IPv6: 2a00:d78::712:94:198:159:28

At this time, the DNS workbench offers the followings tests:

RR types: Zonefiles with many different RRtypes, including obsolete and exotic ones, in a signed an an unsigned format.
Validator testing: A DNS tree with deliberate errors in the DNSSEC chain(s), to test validating rrsolvers.
Delegations: A DNS tree with delegations.
Transfers and TSIG: Transfering and using/testing TSIG support.
There are also a few other zones: apexcname.wb.sidnlabs.nl, nsec3-opt-out.wb.sidnlabs.nl and wildcards-nsec3.wb.sidnlabs.nl that don't fit in any of the categories and where added as per request.

Roadmap

We intend to continually expand the workbench with different scenarios as we come up with them. A few short-term goals:
  • Add delegations between the different servers
  • Add zones (or names) with other 'things' than rr types (wildcards, empty non-terminals, etc.)
  • Add more scenarios to the deliberately broken DNSSEC zones
  • Add zones with different signing parameters (like newer algorithms such as Ed25519
  • ✔ (but ongoing) Add even more RRtypes
  • Something with IDN's
  • Add zones signed with different signers
  • [Your proposal here!]

The biggest challenge here is not to set them up, but to make them consistent, predictable, and easily maintainable, currently we are looking into that.

Known issues

We are aware of a number of issues and hope to work on them soon. If you find more, just let us know.
types[-signed].wb.sidnlabs.nl won't AXFR from PowerDNS. Could be a bug in PowerDNS - will investigate further.
Yadifa parses zonefile incorrectly; the TTL is 60 (as in the RRSIG), not 3600. TTL is 60, not 3600 (look carefully at dig +dnssec SOA txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl to reproduce.
nods badzone is not really without a DS as it should be. This is because of a known, but not yet solved bug. We are in the process of fixing this. UPDATE: might be fixed, now testing.
Yadifa leaves out NSEC in reply. Reproduce with: dig +dnssec A txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl.
Yadifa tends to crash occasionally. A systemd drop-in now automatically restarts it, but this doesn't solve the underlying problem. UPDATE: reported to developers and appearantly fixed in 2.3.9-8497, which we are now testing.
nsec3-opt-out.wb.sidnlabs.nl has some DNSviz errors. Related to Yadifa crashes.
No TSIG's on PowerDNS and Yadifa. Not a bug, but a known issue and a 'todo'. Have to find some time for it.
types[-signed].wb.sidnlabs.nl might have to be updated. Not a bug either. Some newer RRtypes might have been defined, since we created that zone. Have to incorporate some of these new types maybe. Will look into that soon.
Your issue here? Just let us know!

Disclaimer

This is a beta service, provided to you by SIDN Labs on a best effort basis. Its setup can change at any moment, without prior warning. It is not advisable to depend on this service for any (automated) service or system without consulting us beforehand. If you encounter any problems with the software or service, feel free to contact us at: SIDN Labs, the R&D team of SIDN. We would also be very much interested if you have used the workbench, or if you are still missing something that would make it useful for you. So please let us know!