Meet our new tool - Zonemaster

Together with colleagues at our French counterpart Afnic, we at .SE have developed a continuation to DNSCheck. Zonemaster is a program that helps control how well the DNS service works for a domain.

Our tool for testing DNS delegations, DNSCheck, has a long history. It started as a tool for .SE (NIC-SE) to test delegations and was developed by Patrik Fältström in 2003. The original is still at dnscheck.se. It was rewritten later by Jakob Schlyter and has been improved upon and changed since then. This is the form that we currently use for DNSCheck.

However, over time we have seen DNSCheck’s limitations in formal testing of DNS, and have considered various alternatives to rewriting the tool. When AFNIC, our French counterpart in charge of the .fr domain among others, was in the same situation with their tool Zonecheck, we saw an advantage to collaborating on a new tool.

An even better job

With our mission for ICANN where we test the generic new top-level domains, we have a large number of test specifications for DNS. Since I wrote these test specifications for DNS for ICANN I wanted to do a better job with this new tool, and for the first time we have really good specifications for how one tests DNS delegations. It is with these specifications that we started our cooperative work with AFNIC. We wanted to implement all functionality that existed in both Zonecheck and DNSCheck, and started documenting all of these requirements on both tests and functionality. When the requirements were ready we could start writing detailed specifications for how the new software would behave, and exactly how and what it would test.

Master Test Plan

What we have today is thus a completely new tool, Zonemaster, with clear requirements and specifications for how we test DNS delegation. The test specifications are documented in a format that is a standard for test specifications, IEEE 829-2008, but we have chosen to only keep those parts that are relevant for this area. The main document is thus a Master Test Plan which then burrows into the different areas we test, addresses, reachability, syntax, DNSSEC, etc., and then becomes as thorough as an individual Test Case. DNSSEC05 is a representative example.

The goals of documenting the tests in this way are several, the most important is that the user knows exactly what it is we are testing and why. But there are more reasons. We want Zonemaster to become the reference tool for tests of DNS in this way. So the next step will be to open up the process of test specifications and the hope is that in the end we can get it through IETF and publish a BCP document as RFC (Best Current Practice).

Stable version released

All of the tests we specified are implemented in Zonemaster Engine. There are installation instructions for those who want to download and test the code. Zonemaster is stable and released in a version we call 2014.1. However, we have many things planned and more tests to specify and implement. A new area that is a little difficult to test – that we have learned about through our work with ICANN – is measuring of Anycast networks. These types of measurements require that one tests from different locations on the internet to get a fair view of how DNS looks. No one today has described how best to test a delegation of this type. Maybe Zonemaster will be first?

This article has no tags

About the blogger

Patrik Wallström Patrik Wallström Project Manager for the Health Check and DNSSEC Patrik is the person who saw to it that .se became the first national top-level domain in the world to become a signatory with DNSSEC and that IIS become the first to offer a commercial DNSSEC service. His background is as a network security consultant and he has long promoted open source code and free software.

Leave a comment

Reply to a comment

Required

Required

Optional

Comments

No comments yet.