SIDN Labs DNS Workbench - Validator testing
The DNSSEC Bad Tree is a recursively generated tree (under bad-dnssec.wb.sidnlabs.nl) of DNSSEC-signed zones, which contains specific deliberate signing errors, such as various invalid RRSIGs and unknown algorithm.
Based on the first label of the zone apex, a specific error condition is created by the signer for all DNSSEC records in that zone:
| First label | Error |
|---|---|
| ok | No error, zone is valid |
| bogussig | The RRSIG records in this zone contain bogus signature data |
| nods | The DS record is missing in the parent zone. |
| sigexpired | The RRSIG records have an expiration date in the past |
| signotincepted | The RRSIG records have an inception date in the future |
| unknownalgorithm | the zone is signed correctly (with a known algorithm), but has the algorithm field set to another value (200), which should cause validators to treat this zone as unsigned. |
Some example zones (leading to https://dnssec-analyzer.verisignlabs.com/) :
- ok.ok.ok.bad-dnssec.wb.sidnlabs.nl a good zone
- ok.bogussig.ok.bad-dnssec.wb.sidnlabs.nl
- signotincepted.bad-dnssec.wb.sidnlabs.nl
- ok.ok.sigexpired.bad-dnssec.wb.sidnlabs.nl
- unknownalgorithm.ok.ok.bad-dnssec.wb.sidnlabs.nl
All the addresses point back to this webserver, so if you are using a validating resolver, the ones containing only 'ok' should work, while any of the others should not.
Examples:
$ dig +short +cd AAAA bogussig.bad-dnssec.wb.sidnlabs.nl
2a00:d78:4:503:94:198:159:39
$ dig +short A bogussig.bad-dnssec.wb.sidnlabs.nl
$ drill -k ~/root.key -S ok.ok.ok.bad-dnssec.wb.sidnlabs.nl
;; Number of trusted keys: 1
;; Chasing: ok.ok.ok.bad-dnssec.wb.sidnlabs.nl. A
DNSSEC Trust tree:
ok.ok.ok.bad-dnssec.wb.sidnlabs.nl. (A)
|---ok.ok.ok.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 17095 alg: 8 flags: 257)
|---ok.ok.ok.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 17095 digest type: 2)
|---ok.ok.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 57532 alg: 8 flags: 257)
|---ok.ok.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 57532 digest type: 2)
|---ok.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 60670 alg: 8 flags: 257)
|---ok.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 60670 digest type: 2)
|---bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 27124 alg: 8 flags: 257)
|---bad-dnssec.wb.sidnlabs.nl. (DS keytag: 27124 digest type: 2)
|---wb.sidnlabs.nl. (DNSKEY keytag: 48378 alg: 8 flags: 256)
|---wb.sidnlabs.nl. (DNSKEY keytag: 44704 alg: 8 flags: 257)
|---wb.sidnlabs.nl. (DS keytag: 44704 digest type: 2)
|---sidnlabs.nl. (DNSKEY keytag: 20853 alg: 8 flags: 256)
|---sidnlabs.nl. (DNSKEY keytag: 52720 alg: 8 flags: 257)
|---sidnlabs.nl. (DS keytag: 52720 digest type: 2)
|---nl. (DNSKEY keytag: 62589 alg: 8 flags: 256)
|---nl. (DS keytag: 34112 digest type: 2)
|---. (DNSKEY keytag: 16749 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19164 alg: 8 flags: 385)
|---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
;; Chase successful
$ drill -k ~/root.key -S ok.bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl
;; Number of trusted keys: 1
;; Chasing: ok.bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. A
DNSSEC Trust tree:
ok.bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. (A)
|---ok.bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 20530 alg: 8 flags: 257)
|---ok.bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 20530 digest type: 2)
|---bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 52354 alg: 8 flags: 257)
|---bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 52354 digest type: 2)
|---Bogus DNSSEC signature:
bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. 3599 IN RRSIG DS 8 6 3600 20300101000000 20190203115651 47452 sigexpired.bad-dnssec.wb.sidnlabs.nl. W/CqxDzuEnGFXNvniGbsOf/fKUYs1v6Y5imJJMnz6VU54OlAs6oPLN06tO+sms88UfJKrWjxP39yQdaELRe5FhlT23iTjpN4i76WrhsYh0t+c5eo0kz3WlEjNdABEd5hw+/AV8scZVY4Rw4oQSA4HVBT5EJ57/tOSwvcrUP8Kww=
For RRset:
bogussig.sigexpired.bad-dnssec.wb.sidnlabs.nl. 3599 IN DS 52354 8 2 1d3611ab5379f854f0c25698d87cfc56649650c8ed75f28fe3ed2bd8698704a1
With key:
sigexpired.bad-dnssec.wb.sidnlabs.nl. 3581 IN DNSKEY 257 3 8 AwEAAeI4JVRP/UjIUurNip/yvy2kju2xHQDePQ1DtTxEyZRw7XVzsGr9sWYju/vi7XWSyupIOqiZhiwiPAcG5KnfTMRSAZkylbjC4k5Kq9yBQF3XLCKg7wZMvnsCu5KC/nVS8Fma0F+5PFsfoqdExVVDG/0RFHZILTvIPRXcvG5BrmpB ;{id = 47452 (ksk), size = 1024b}
|---sigexpired.bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 47452 alg: 8 flags: 257)
|---sigexpired.bad-dnssec.wb.sidnlabs.nl. (DS keytag: 47452 digest type: 2)
|---DNSSEC signature has expired:
sigexpired.bad-dnssec.wb.sidnlabs.nl. 41 IN RRSIG DS 8 5 3600 20180203115650 20170203115650 27124 bad-dnssec.wb.sidnlabs.nl. E+meqwes3ifXS6wwYjtdXUOfuYIxIJ/Zk1cM/Q3+H5oeaK84WRLNdw4DVV9zIOGD+fejqkN7XRCnHCGOZOPimOmzoVbZFcczXbGgVNQI6KnFniUUw1BAfO2b/2cjveDG/0pm5T5r7DDWCtmLq88PpbPPkIOB8XpV//xY+klcHBA=
For RRset:
sigexpired.bad-dnssec.wb.sidnlabs.nl. 41 IN DS 47452 8 2 f4002b88b8c7e5464cb2075bc22b759bb22370892c5ecad050e4b7a3c6bdc75c
With key:
bad-dnssec.wb.sidnlabs.nl. 3586 IN DNSKEY 257 3 8 AwEAAbeHydOpL2CMb2wYTQNE3akUXD05oeXDDpwjz9iH/O/VCFhxaWqtlDsWfjMFMShM+dCQYbCpaFvF+XjiKqyZfrt8b9WVEyimtUFAFHrJuHdBoZpkVfv4zfcGOAPlw0CUdU8dXJPEtw4ewXGs95kA0j2v1J6oEjfFuBAK1tysBnBF ;{id = 27124 (ksk), size = 1024b}
|---bad-dnssec.wb.sidnlabs.nl. (DNSKEY keytag: 27124 alg: 8 flags: 257)
|---bad-dnssec.wb.sidnlabs.nl. (DS keytag: 27124 digest type: 2)
|---wb.sidnlabs.nl. (DNSKEY keytag: 48378 alg: 8 flags: 256)
|---wb.sidnlabs.nl. (DS keytag: 44704 digest type: 2)
|---sidnlabs.nl. (DNSKEY keytag: 20853 alg: 8 flags: 256)
|---sidnlabs.nl. (DNSKEY keytag: 52720 alg: 8 flags: 257)
|---sidnlabs.nl. (DS keytag: 52720 digest type: 2)
|---nl. (DNSKEY keytag: 62589 alg: 8 flags: 256)
|---nl. (DNSKEY keytag: 34112 alg: 8 flags: 257)
|---nl. (DS keytag: 34112 digest type: 2)
|---. (DNSKEY keytag: 16749 alg: 8 flags: 256)
|---. (DNSKEY keytag: 19164 alg: 8 flags: 385)
|---. (DNSKEY keytag: 20326 alg: 8 flags: 257)
No trusted keys found in tree: first error was: Bogus DNSSEC signature
;; Chase failed.