Root DNSSEC Design Team Wessels VeriSign D. Knight ICANN January 26, 2010 Resolver Testing with a DURZ Abstract This document describes the results of testing popular DNS resolvers with a Deliberately-Unvalidatable Root Zone (DURZ). Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2.1. Authoritative Software . . . . . . . . . . . . . . . . . . 2 2.2. Resolver Software . . . . . . . . . . . . . . . . . . . . . 2 3. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 4 Wessels & Knight [Page 1] Resolver Testing with a DURZ January 2010 1. Introduction This document describes the results of testing popular DNS resolvers with a Deliberately-Unvalidatable Root Zone (DURZ). 2. Environment Tests were performed on DNS-OARC's testbed. Virtual servers were configured as DNS root nameservers, top-level nameservers for COM and NET, and second-level nameservers for EXAMPLE.COM and EXAMPLE.NET. 2.1. Authoritative Software We used both BIND-9.6.2b1 and NSD-3.2.4 as authoritative software for the root nameservers. For a particular test, all root servers were configured to run the same software, either all BIND or all NSD. In other words, there were no tests with mixed BIND/NSD. 2.2. Resolver Software The following resolver software versions were tested: o BIND 8.4.7 o BIND 9.2.9rc1 o BIND 9.3.6rc1 o BIND 9.4.3rc1 o BIND 9.5.2rc1 o BIND 9.6.2b1 o BIND 9.7.0rc1 o dnscache 1.05 o PowerDNS Recursor 3.1.7.2 o Unbound 1.3.3 o Unbound 1.4.1 o Vantio 4.2.0.0 (aka Nominum CNS) o Windows Server 2003 o Windows Server 2008 3. Methodology Test execution is scripted to automatically start the appropriate nameserver software (both authoritative and resolver). This ensures that resolvers always have an empty cache at the start of each test. A Perl script is used to send queries to the resolver under test. The same script also sends queries to the testbed root servers to verify they are all running the correct software and serving the DURZ zone. If the Perl script finds any discrepancies, it reports the Wessels & Knight [Page 2] Resolver Testing with a DURZ January 2010 error and exits with a non-zero status. The sequence of queries is as follows: 1. Send VERSION.BIND/TXT/CH queries to all roots 2. Send ./DNSKEY/IN queries to all roots 3. Send a EXAMPLE.COM/IN/A query to the resolver under test 4. Pause for 1 second 5. Send a EXAMPLE.NET/IN/A query to the resolver under test 6. Send a VERSION.BIND/TXT/CH query to the resolver under test 4. Results We did not discover any problems in these tests. All resolvers that we tested correctly handled responses from DURZ-enabled root nameservers running both BIND and NSD. +------------------------------------------------+ | DURZ on Roots running BIND-9.6.2b1 | +-------------------------------------+----------+ | RESOLVER | RESULT | +-------------------------------------+----------+ | BIND 8.4.7 | PASSED | | BIND 9.2.9rc1 | PASSED | | BIND 9.3.6rc1 | PASSED | | BIND 9.4.3rc1 | PASSED | | BIND 9.5.2rc1 | PASSED | | BIND 9.6.2b1 | PASSED | | BIND 9.7.0rc1 | PASSED | | dnscache 1.05 | PASSED | | PowerDNS Recursor 3.1.7.2 | PASSED | | Unbound 1.3.3 | PASSED | | Unbound 1.4.1 | PASSED | | Vantio 4.2.0.0 (aka Nominum CNS) | PASSED | | Windows Server 2003 | PASSED | | Windows Server 2008 | PASSED | +-------------------------------------+----------+ Figure 1 Wessels & Knight [Page 3] Resolver Testing with a DURZ January 2010 +------------------------------------------------+ | DURZ on Roots running NSD-3.2.4 | +-------------------------------------+----------+ | RESOLVER | RESULT | +-------------------------------------+----------+ | BIND 8.4.7 | PASSED | | BIND 9.2.9rc1 | PASSED | | BIND 9.3.6rc1 | PASSED | | BIND 9.4.3rc1 | PASSED | | BIND 9.5.2rc1 | PASSED | | BIND 9.6.2b1 | PASSED | | BIND 9.7.0rc1 | PASSED | | dnscache 1.05 | PASSED | | PowerDNS Recursor 3.1.7.2 | PASSED | | Unbound 1.3.3 | PASSED | | Unbound 1.4.1 | PASSED | | Vantio 4.2.0.0 (aka Nominum CNS) | PASSED | | Windows Server 2003 | PASSED | | Windows Server 2008 | PASSED | +-------------------------------------+----------+ Figure 2 Appendix A. Acknowledgements The authors greatfully acknowledge DNS-OARC for use of its DNS testbed and Internet Systems Consortium for more-than-usual remote hands assistance getting Windows installed. Authors' Addresses Duane Wessels VeriSign Inc. 21345 Ridgetop Circle Dulles, VA 20166-6503 USA Email: duane.wessels@verisign.com Wessels & Knight [Page 4] Resolver Testing with a DURZ January 2010 Dave Knight ICANN 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292 US Email: dave.knight@icann.org Wessels & Knight [Page 5]