SIDN Labs DNS Workbench - Main menu
Update: 2020-11-12: We have changed the way the bad-dnssec tree works. It is now the zones themselves that have
the conditions applied (bogus signature, signature expired, etc.). The delegation to such zones used to have the
condition applied as well, but this is no longer the case. See the DNSSEC validator testing page for more
This update also solves the issue of 'unknownalgorithm' zones, which used to result in bogus when validating,
and should now correctly get the status 'insecure' instead of 'bogus'.
The SIDN Labs DNS workbench is a set of different nameservers that
run a known set of configurations and zones; In general the goal is
to be able to send a specific query to different implementations and
see the difference in their responses, if any.
The idea behind the workbench is that, without having to set up an
entire infrastructure yourself, you can quickly find answers to
questions such as 'How does NSD4 respond to an ANY query for a wildcard
name in an NSEC3 opt-out zone?' It can also be used to test different
(validating) resolvers on their behaviour in certain circumstances.
Note: This is a work in progress. Server names, zone names and contents may change in the near future. If you see something you don't expect, always check these pages first.
At this moment, there are 5 name servers in the workbench,
a number of different zones (currently, all servers are serving all
zones, provided that we are able to load them into the name server).
Note that the zone names may change in the near future, as the naming conventions might be modified while we are adding scenarios.
If you see any problems with the workbench, or have any suggestions,
please contact us (firstname.lastname@example.org
). The workbench is available on
The following servers, all open source, are currently running (for now all as Ubuntu 22.04 packages, except for
Yadifa, because of bugs that made it crash often):
- bind9.sidnlabs.nl (BIND 9.18.1)
- IPv4: 188.8.131.52
- IPv6: 2a00:d78::712:94:198:159:39
- knot.sidnlabs.nl (Knot 3.1.6)
- IPv4: 184.108.40.206
- IPv6: 2a00:d78::712:94:198:159:27
- nsd4.sidnlabs.nl (NSD 4.3.9)
- IPv4: 220.127.116.11
- IPv6: 2a00:d78::712:94:198:159:33
- powerdns.sidnlabs.nl (PowerDNS 4.5.3 with SQLite3 backend)
- IPv4: 18.104.22.168
- IPv6: 2a00:d78::712:94:198:159:26
- yadifa.sidnlabs.nl (Yadifa 2.5.4-10442)
- IPv4: 22.214.171.124
- IPv6: 2a00:d78::712:94:198:159:28
At this time, the DNS workbench offers the followings tests:
||Zonefiles with many different RRtypes, including obsolete and exotic ones, in a signed an an unsigned format.
|DNSSEC validator testing:
||A DNS tree with deliberate errors in the DNSSEC chain(s), to test validating rrsolvers.
||A DNS tree with delegations.
|Transfers and TSIG:
||Transfering and using/testing TSIG support.
There are also a few other zones: apexcname.wb.sidnlabs.nl
that don't fit in any of the categories and where added as per request.
We intend to continually expand the workbench with different scenarios
as we come up with them. A few short-term goals:
Add delegations between the different servers
Add zones (or names) with other 'things' than rr types (wildcards, empty non-terminals, etc.)
- Add more scenarios to the deliberately broken DNSSEC zones
- Add zones with different signing parameters (like newer algorithms such as Ed25519
- ✔ (but ongoing) Add even more RRtypes
- Something with IDN's
- Add zones signed with different signers
- [Your proposal here!]
The biggest challenge here is not to set them up, but to make them
consistent, predictable, and easily maintainable, currently we are
looking into that.
We are aware of a number of issues and hope to work on them soon. If you find more,
just let us know.
|types[-signed].wb.sidnlabs.nl won't AXFR from PowerDNS.
||Could be a bug in PowerDNS - will investigate further.
|Yadifa parses zonefile incorrectly; the TTL is 60 (as in the RRSIG), not 3600.
||TTL is 60, not 3600 (look carefully at
dig +dnssec SOA txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl to reproduce.
|nods badzone is not really without a DS as it should be. This is because of a known, but not yet solved bug.
||We are in the process of fixing this. UPDATE: might be fixed, now testing.
|Yadifa leaves out NSEC in reply.
dig +dnssec A txt.ent.wildcards-nsec3.wb.sidnlabs.nl @yadifa.sidnlabs.nl.
|Yadifa tends to crash occasionally.
|A systemd drop-in now automatically restarts it, but this doesn't solve the underlying problem. UPDATE: reported to developers and appearantly fixed in 2.3.9-8497, which we are now testing.
|nsec3-opt-out.wb.sidnlabs.nl has some DNSviz errors.
||Related to Yadifa crashes.
|No TSIG's on PowerDNS and Yadifa.
||Not a bug, but a known issue and a 'todo'. Have to find some time for it.
|types[-signed].wb.sidnlabs.nl might have to be updated.
||Not a bug either. Some newer RRtypes might have been defined, since we created
that zone. Have to incorporate some of these new types maybe. Will look into
|Your issue here?
||Just let us know!
This is a beta service, provided to you by SIDN Labs on a best effort basis.
Its setup can change at any moment, without prior warning.
It is not advisable to depend on this service for any
(automated) service or system without consulting us beforehand.
If you encounter any problems with the software or service, feel free to
contact us at: SIDN Labs, the R&D team of
. We would also be very much interested if you have used the workbench,
or if you are still missing something that would make it useful for you. So please let us know!