Root DNSSEC Design Team Wessels
VeriSign
D. Knight
ICANN
January 26, 2010
Resolver Testing with a DURZ
Abstract
This document describes the results of testing popular DNS resolvers
with a Deliberately-Unvalidatable Root Zone (DURZ).
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Environment . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1. Authoritative Software . . . . . . . . . . . . . . . . . . 2
2.2. Resolver Software . . . . . . . . . . . . . . . . . . . . . 2
3. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 2
4. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 4
Wessels & Knight [Page 1]
�
Resolver Testing with a DURZ January 2010
1. Introduction
This document describes the results of testing popular DNS resolvers
with a Deliberately-Unvalidatable Root Zone (DURZ).
2. Environment
Tests were performed on DNS-OARC's testbed. Virtual servers were
configured as DNS root nameservers, top-level nameservers for COM and
NET, and second-level nameservers for EXAMPLE.COM and EXAMPLE.NET.
2.1. Authoritative Software
We used both BIND-9.6.2b1 and NSD-3.2.4 as authoritative software for
the root nameservers. For a particular test, all root servers were
configured to run the same software, either all BIND or all NSD. In
other words, there were no tests with mixed BIND/NSD.
2.2. Resolver Software
The following resolver software versions were tested:
o BIND 8.4.7
o BIND 9.2.9rc1
o BIND 9.3.6rc1
o BIND 9.4.3rc1
o BIND 9.5.2rc1
o BIND 9.6.2b1
o BIND 9.7.0rc1
o dnscache 1.05
o PowerDNS Recursor 3.1.7.2
o Unbound 1.3.3
o Unbound 1.4.1
o Vantio 4.2.0.0 (aka Nominum CNS)
o Windows Server 2003
o Windows Server 2008
3. Methodology
Test execution is scripted to automatically start the appropriate
nameserver software (both authoritative and resolver). This ensures
that resolvers always have an empty cache at the start of each test.
A Perl script is used to send queries to the resolver under test.
The same script also sends queries to the testbed root servers to
verify they are all running the correct software and serving the DURZ
zone. If the Perl script finds any discrepancies, it reports the
Wessels & Knight [Page 2]
�
Resolver Testing with a DURZ January 2010
error and exits with a non-zero status. The sequence of queries is
as follows:
1. Send VERSION.BIND/TXT/CH queries to all roots
2. Send ./DNSKEY/IN queries to all roots
3. Send a EXAMPLE.COM/IN/A query to the resolver under test
4. Pause for 1 second
5. Send a EXAMPLE.NET/IN/A query to the resolver under test
6. Send a VERSION.BIND/TXT/CH query to the resolver under test
4. Results
We did not discover any problems in these tests. All resolvers that
we tested correctly handled responses from DURZ-enabled root
nameservers running both BIND and NSD.
+------------------------------------------------+
| DURZ on Roots running BIND-9.6.2b1 |
+-------------------------------------+----------+
| RESOLVER | RESULT |
+-------------------------------------+----------+
| BIND 8.4.7 | PASSED |
| BIND 9.2.9rc1 | PASSED |
| BIND 9.3.6rc1 | PASSED |
| BIND 9.4.3rc1 | PASSED |
| BIND 9.5.2rc1 | PASSED |
| BIND 9.6.2b1 | PASSED |
| BIND 9.7.0rc1 | PASSED |
| dnscache 1.05 | PASSED |
| PowerDNS Recursor 3.1.7.2 | PASSED |
| Unbound 1.3.3 | PASSED |
| Unbound 1.4.1 | PASSED |
| Vantio 4.2.0.0 (aka Nominum CNS) | PASSED |
| Windows Server 2003 | PASSED |
| Windows Server 2008 | PASSED |
+-------------------------------------+----------+
Figure 1
Wessels & Knight [Page 3]
�
Resolver Testing with a DURZ January 2010
+------------------------------------------------+
| DURZ on Roots running NSD-3.2.4 |
+-------------------------------------+----------+
| RESOLVER | RESULT |
+-------------------------------------+----------+
| BIND 8.4.7 | PASSED |
| BIND 9.2.9rc1 | PASSED |
| BIND 9.3.6rc1 | PASSED |
| BIND 9.4.3rc1 | PASSED |
| BIND 9.5.2rc1 | PASSED |
| BIND 9.6.2b1 | PASSED |
| BIND 9.7.0rc1 | PASSED |
| dnscache 1.05 | PASSED |
| PowerDNS Recursor 3.1.7.2 | PASSED |
| Unbound 1.3.3 | PASSED |
| Unbound 1.4.1 | PASSED |
| Vantio 4.2.0.0 (aka Nominum CNS) | PASSED |
| Windows Server 2003 | PASSED |
| Windows Server 2008 | PASSED |
+-------------------------------------+----------+
Figure 2
Appendix A. Acknowledgements
The authors greatfully acknowledge DNS-OARC for use of its DNS
testbed and Internet Systems Consortium for more-than-usual remote
hands assistance getting Windows installed.
Authors' Addresses
Duane Wessels
VeriSign Inc.
21345 Ridgetop Circle
Dulles, VA 20166-6503
USA
Email: duane.wessels@verisign.com
Wessels & Knight [Page 4]
�
Resolver Testing with a DURZ January 2010
Dave Knight
ICANN
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292
US
Email: dave.knight@icann.org
Wessels & Knight [Page 5]
�
Presently we were in a very dark road, and at a point where it dropped suddenly between steep sides we halted in black shadow. A gleam of pale sand, a whisper of deep flowing waters, and a farther glimmer of more sands beyond them challenged our advance. We had come to a "grapevine ferry." The scow was on the other side, the water too shoal for the horses to swim, and the bottom, most likely, quicksand. Out of the blackness of the opposite shore came a soft, high-pitched, quavering, long-drawn, smothered moan of woe, the call of that snivelling little sinner the screech-owl. Ferry murmured to me to answer it and I sent the same faint horror-stricken tremolo back. Again it came to us, from not farther than one might toss his cap, and I followed Ferry down to the water's edge. The grapevine guy swayed at our side, we heard the scow slide from the sands, and in a few moments, moved by two videttes, it touched our shore. Soon we were across, the two videttes riding with us, and beyond a sharp rise, in an old opening made by the swoop of a hurricane, we entered the silent unlighted bivouac of Ferry's scouts. Ferry got down and sat on the earth talking with Quinn, while the sergeants quietly roused the sleepers to horse. Plotinus is driven by this perplexity to reconsider the whole theory of Matter.477 He takes Aristotle¡¯s doctrine as the groundwork of his investigation. According to this, all existence is divided into Matter and Form. What we know of things¡ªin other words, the sum of their differential characteristics¡ªis their Form. Take away this, and the unknowable residuum is their Matter. Again, Matter is the vague indeterminate something out of which particular Forms are developed. The two are related as Possibility to Actuality, as the more generic to the more specific substance through every grade of classification and composition. Thus there are two Matters, the one sensible and the other intelligible. The former constitutes the common substratum of bodies, the other the common element of ideas.478 The general distinction between Matter and Form was originally suggested to Aristotle by Plato¡¯s remarks on the same subject; but he differs325 from his master in two important particulars. Plato, in his Timaeus, seems to identify Matter with space.479 So far, it is a much more positive conception than the ?λη of the Metaphysics. On the other hand, he constantly opposes it to reality as something non-existent; and he at least implies that it is opposed to absolute good as a principle of absolute evil.480 Thus while the Aristotelian world is formed by the development of Power into Actuality, the Platonic world is composed by the union of Being and not-Being, of the Same and the Different, of the One and the Many, of the Limit and the Unlimited, of Good and Evil, in varying proportions with each other. The Lawton woman had heard of an officer's family at Grant, which was in need of a cook, and had gone there. [See larger version] On the 8th of July an extraordinary Privy Council was summoned. All the members, of whatever party, were desired to attend, and many were the speculations as to the object of their meeting. The general notion was that it involved the continuing or the ending of the war. It turned out to be for the announcement of the king's intended marriage. The lady selected was Charlotte, the second sister of the Duke of Mecklenburg-Strelitz. Apart from the narrowness of her education, the young princess had a considerable amount of amiability, good sense, and domestic taste. These she shared with her intended husband, and whilst they made the royal couple always retiring, at the same time they caused them to give, during their lives, a moral air to their court. On the 8th of September Charlotte arrived at St. James's, and that afternoon the marriage took place, the ceremony being performed by the Archbishop of Canterbury. On the 22nd the coronation took place with the greatest splendour. Mother and girls were inconsolable, for each had something that they were sure "Si would like," and would "do him good," but they knew Josiah Klegg, Sr., well enough to understand what was the condition when he had once made up his mind. CHAPTER V. THE YOUNG RECRUITS Si proceeded to deftly construct a litter out of the two guns, with some sticks that he cut with a knife, and bound with pawpaw strips. His voice had sunk very low, almost to sweetness. A soft flurry of pink went over her face, and her eyelids drooped. Then suddenly she braced herself, pulled herself taut, grew combative again, though her voice shook. HoME²Ô¾®Ïè̫ʲôÐÇ×ù
ENTER NUMBET 0016hetcoinex.com.cn
www.fandual.com.cn
fmhlbw.com.cn
knchain.com.cn
jdbianli.net.cn
www.fuyime.net.cn
www.ggjdggjd.com.cn
jtkplk.com.cn
www.rkchain.com.cn
nbfxj.net.cn