SIDN Labs DNS Workbench - Main menu
The SIDN Labs DNS workbench is a set of different nameservers that run a known set of configurations and zones; In general the goal is to be able to send a specific query to different implementations and see the difference in their responses, if any.
The idea behind the workbench is that, without having to set up an entire infrastructure yourself, you can quickly find answers to questions such as 'How does NSD4 respond to an ANY query for a wildcard name in an NSEC3 opt-out zone?' It can also be used to test different (validating) resolvers on their behaviour in certain circumstances.
Note: This is a work in progress. Server names, zone names and contents may change in the near future. If you see something you don't expect, always check these pages first.
At this moment, there are 5 name servers in the workbench, a number of different zones (currently, all servers are serving all zones, provided that we are able to load them into the name server).
Note that the zone names may change in the near future, as the naming conventions might be modified while we are adding scenarios.
If you see any problems with the workbench, or have any suggestions, please contact us (sidnlabs@sidn.nl). The workbench is available on GitHub.Servers
The following servers, all open source, are currently running (for now all as Ubuntu 26.04 packages):- bind9.sidnlabs.nl (BIND9.20.18)
- IPv4: 94.198.159.39
- IPv6: 2a00:d78::712:94:198:159:39
- knot.sidnlabs.nl (Knot 3.5.3)
- IPv4: 94.198.159.27
- IPv6: 2a00:d78::712:94:198:159:27
- nsd4.sidnlabs.nl (NSD4.14.0)
- IPv4: 94.198.159.33
- IPv6: 2a00:d78::712:94:198:159:33
- powerdns.sidnlabs.nl (PowerDNS5.0.2 with SQLite3 backend)
- IPv4: 94.198.159.26
- IPv6: 2a00:d78::712:94:198:159:26
- yadifa.sidnlabs.nl (Yadifa 3.0.6)
- IPv4: 94.198.159.28
- IPv6: 2a00:d78::712:94:198:159:28
At this time, the DNS workbench offers the followings tests:
| RR types: | Zonefiles with many different RRtypes, including obsolete and exotic ones, in a signed an an unsigned format. |
| DNSSEC validator testing: | A DNS tree with deliberate errors in the DNSSEC chain(s), to test validating rrsolvers. |
| Delegations: | A DNS tree with delegations. |
| Transfers and TSIG: | Transfering and using/testing TSIG support. |
Roadmap
We intend to continually expand the workbench with different scenarios as we come up with them. A few short-term goals:- ✔
Add delegations between the different servers - ✔
Add zones (or names) with other 'things' than rr types (wildcards, empty non-terminals, etc.) - Add more scenarios to the deliberately broken DNSSEC zones
- Add zones with different signing parameters (like newer algorithms such as Ed25519
- ✔ (but ongoing) Add even more RRtypes
- Something with IDN's
- Add zones signed with different signers
- [Your proposal here!]
The biggest challenge here is not to set them up, but to make them consistent, predictable, and easily maintainable, currently we are looking into that.
Known issues
| Yadifa parses zonefile incorrectly; the TTL is 60 (as in the RRSIG), not 3600. | TTL is 60, not 3600 (look carefully at dig +dnssec SOA txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl to reproduce. |
| Yadifa tends to crash occasionally. | |
| nsec3-opt-out.wb.sidnlabs.nl has some DNSviz errors. | Related to Yadifa crashes. |
| No TSIG's on PowerDNS and Yadifa. | Not a bug, but a known issue and a 'todo'. Have to find some time for it. |
| types[-signed].wb.sidnlabs.nl might have to be updated. | Not a bug either. Some newer RRtypes might have been defined, since we created that zone. Have to incorporate some of these new types maybe. Will look into that soon. |
| Bind9 refuses to load wb.sidnlabs.nl zone. | Due to the use of deprected SHA-1 in wildcards-nsec3.wb.sidnlabs.nl/DS. Not a bug either. See RFC9905. |
| Your issue here? | Just let us know! |