I seem to have a problem with:
https://dnsviz.net/d/book.dinnerbooking.com/dnssec/

dinnerbooking.com zone: The server(s) were not responsive to queries over UDP. (2001:978:2:6f::1f:53)

I checked manually and it seems that the server response normally to UDP. I wonder why it says this?

The same here:
https://dnsviz.net/d/dinnerbooking.com/dnssec/

Thank you for this wonderful project! It helped me determine that penndot.gov was in compliance 4 months ago, but not in compliance today. More! More! Where do I donate?

Check for invalid keys of all types, as is done for ECDSA here: d953c7c

% dnsget  bortzmeyer.org > ../bortzmeyer.org.json    
Traceback (most recent call last):
  File "./bin/dnsget", line 37, in <module>
    from dnsviz.analysis import Analyst, DomainNameAnalysis, get_client_addresses, NetworkConnectivityException, _resolver
  File "/usr/local/lib/python2.7/dist-packages/dnsviz/analysis.py", line 137, in <module>
    _resolver = Resolver.Resolver.from_file('/etc/resolv.conf', StandardRecursiveQueryCD)
  File "/usr/local/lib/python2.7/dist-packages/dnsviz/resolver.py", line 99, in from_file
    if words[0] == 'nameserver':
IndexError: list index out of range

Just because there was an empty line in resolv.conf. When deleting it, it worked fine.

I recently came across a couple of authorative nameservers which somehow presented an NSEC record which declared that the whole zone it was authorative for was empty (denying the existance of itself, being in-bailiwick!). Combined with knot-resolver's aggressive caching using DNSSEC-records, lookups of records at the domains that these nameservers were supposed to be authorative for could not be resolved.

I'm not that familiar with DNSSEC and found help from https://gitter.com/CZ-NIC/knot-resolver. I could see in logs from knot-resolver that it could not find any NS with an address (what I did not react to at the time was the NSEC sname: covered by: example.com. -> example.com. -- that was probably a great clue!)

Eventually @vcunat found example.com. NSEC example.com., and I could contact the admin who corrected the problem.

Could dnsviz highlight these kind of problems?

As @pspacek said in the discussion:

It would be also useful to test for other contradictory answers, e.g. server answering test.example.com. Abut providing proof-of-nonexistence for query test.example.com. TXT which states that test.example.com. A does not exist etc.
In general proofs from NSEC records must not contradict existence of other data which were obtained during the test.

I can't find the offending line in the source so perhaps Pypi needs to be updated?

python version: 3.6.0
pip version: 9.0.1
virtualenv version: 15.0.3

Additionally tried the --no-cache-dir option with pip in case it was a cached bad build from building the source earlier, but same result.

Just recently Fedora 33 has forbidden use of SHA1 for signature verification, which effectively breaks DNSSEC on some domains.

Besides this practical consequence, bunch of DNSSEC algorithms should not be use and I believe it would be beneficial to flag these as warnings. I propose to warn about algorithms involving MD5, SHA1, DSA, and GOST.

https://tools.ietf.org/html/rfc8624#section-3.1 and https://tools.ietf.org/html/rfc8624#section-3.2 give nice tables with not recommended or outright banned algorithms.

Unfortunately I'm not able to find head and tail in DNSViz code base so I'm not able to write patch, sorry and thank you for your time!

Hi folks, thanks for the great tool which is such an essential tool for me.

I seem to have a problem with a new domain I purchased photographer.hosting.
I first of all had problems trying to add the DS keys at GoDaddy for 2 weeks due to a timeout between GoDaddy and the .hosting registry.

I eventually managed to add the DS keys today and within a few minutes http://dnssec-debugger.verisignlabs.com/photographer.hosting picked it up and flagged everything as OK.

Yet http://dnsviz.net/d/photographer.hosting/dnssec/ is still showing me errors and I've been trying throughout the day by forcing DNSVIZ to update.

Is this a problem with the .hosting registry itself or perhaps that DNSVIZ is not seeing the update DNS records yet?

I've tried to probe (recursive querying) and graph the following labels using 0.4.0 release:

• www.dnssec-failed.org
• www.rhybar.cz
• bad-sig.dane.verisignlabs.com

bad-sig.dane.verisignlabs.com is OK but www.dnssec-failed.org and www.rhybar.cz aren't.
Here's the output for www.dnssec-failed.org [1], www.rhybar.cz yields similar output.

The local resolver is working OK [2], as well as dnsviz grok [3].

If nobody else can reproduce, I can upload the probe and grok results.

Bug or pebkac? :-)

[1]
test# dnsviz probe -s 127.0.0.1 www.dnssec-failed.org | dnsviz graph -R a -Thtml -O
Analyzing www.dnssec-failed.org
Analyzing dnssec-failed.org
Analyzing org
Analyzing .
Traceback (most recent call last):
File "/usr/bin/dnsviz", line 68, in
main()
File "/usr/bin/dnsviz", line 65, in main
mod.main(sys.argv[1:])
File "/usr/lib/python2.7/site-packages/dnsviz/commands/graph.py", line 288, in main
finish_graph(G, [name_obj], rdtypes, trusted_keys, fmt, '%s.%s' % (name, fmt))
File "/usr/lib/python2.7/site-packages/dnsviz/commands/graph.py", line 79, in finish_graph
js_img = G.draw('js')
File "/usr/lib/python2.7/site-packages/dnsviz/viz/dnssec.py", line 263, in draw
img = self.to_raphael()
File "/usr/lib/python2.7/site-packages/dnsviz/viz/dnssec.py", line 250, in to_raphael
svg = self.G.draw(format='svg', prog='dot')
File "/usr/lib64/python2.7/site-packages/pygraphviz/agraph.py", line 1474, in draw
data = self._run_prog(prog, args)
File "/usr/lib64/python2.7/site-packages/pygraphviz/agraph.py", line 1335, in _run_prog
raise IOError(b"".join(errors))
IOError: dot: mincross.c:1314: flat_reorder: Assertion `constraining_flat_edge(g,v,e) == 0' failed.

[2]
test# dig @127.0.0.1 www.dnssec-failed.org a +dnssec

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @127.0.0.1 www.dnssec-failed.org a +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63152
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 84 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 13 20:45:56 CEST 2015
;; MSG SIZE rcvd: 50

[3]
test# dnsviz probe -s 127.0.0.1 www.dnssec-failed.org | dnsviz grok -o /tmp/www.dnssec-failed.org.grokked.json
Analyzing www.dnssec-failed.org
Analyzing dnssec-failed.org
Analyzing org
Analyzing .
test# ls -ahl !$
ls -ahl /tmp/www.dnssec-failed.org.grokked.json
-rw-r--r-- 1 root root 16K Oct 13 20:48 /tmp/www.dnssec-failed.org.grokked.json
test# jq . !$ &>/dev/null && echo $?
jq . /tmp/www.dnssec-failed.org.grokked.json &>/dev/null && echo $?
0

On this system (Debian Wheezy 7), easy_install pulled in pygraphviz no problem, but upon trying to execute dnsviz, it seems the version checking might be a bit off:

pygraphviz version >= 1.1 is required, but version 1.3rc2 is installed.

For example, given an input domain name of "d/len.c.b.a.in-addr.arpa" (from RFC 2317 'Classless IN-ADDR.ARPA delegation'), dnsviz print and graph both fail when called with -O:

$ dnsviz probe -o probed d/len.c.b.a.in-addr.arpa
Analyzing d/len.c.b.a.in-addr.arpa
Analyzing c.b.a.in-addr.arpa
Analyzing b.a.in-addr.arpa
Analyzing a.in-addr.arpa
Analyzing in-addr.arpa
Analyzing arpa
Analyzing .
$ dnsviz print -O -r probed d/len.c.b.a.in-addr.arpa
No such file or directory: "d/len.c.b.a.in-addr.arpa.txt"

The name generated by -O could be encoded in some format - for example, BIND9's dnssec-keygen tool uses URL-like percent-encoding, where '/' becomes '%2F'.

I often get the following error. It is completely random. When I run the same test again, no error is reported.

/usr/local/bin/dnsviz probe -p -A -R 'NS' -o '/data/web/tmp/tmpGfXmVqzWt9SmF5em.json' 'rhybar.cz' 2>&1

Analyzing cz (stub)
Analyzing rhybar.cz
Error analyzing rhybar.cz
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/commands/probe.py", line 166, in _analyze
    return a.analyze()
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/analysis/online.py", line 1513, in analyze
    return self._analyze(self.name)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/analysis/online.py", line 1652, in _analyze
    self._analyze_name(name_obj)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/analysis/online.py", line 1686, in _analyze_name
    yxdomain = self._analyze_delegation(name_obj)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/analysis/online.py", line 1895, in _analyze_delegation
    query.execute(tm=self.transport_manager, th_factories=self.th_factories)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/query.py", line 1589, in _func
    return func(self, *args, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/query.py", line 1599, in execute
    self.execute_queries(self, ignore_queryid=ignore_queryid, tm=tm, th_factories=th_factories)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/query.py", line 1497, in execute_queries
    response = qh.handle_response(qtm.res, response, response_time, qtm.src, qtm.sport)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/query.py", line 811, in handle_response
    retry_action = handler.handle(response_wire, response, response_time)
  File "/usr/local/lib/python3.7/dist-packages/dnsviz/query.py", line 378, in handle
    self._request.payload = self._reduced_payload
AttributeError: can't set attribute

Description

When using the -t options to run dnsviz probe in multiple threads, it seems some data can cause deadlock. As of 2019-01-14, the following query deadlocks:

$ time dnsviz probe -t 2 www.adhomepage.com > /dev/null
Analyzing www.adhomepage.com
Analyzing adhomepage.com
Analyzing com
Analyzing .
Analyzing hdredirect-lb5-1afb6e2973825a56.elb.us-east-1.amazonaws.com
Analyzing elb.us-east-1.amazonaws.com
Analyzing us-east-1.amazonaws.com
Analyzing amazonaws.com
^CInterrupted.

real    7m45.040s
user    0m0.861s
sys     0m0.117s

Interestingly enough, without the -t option, the domain is analyzed just fine.

$ time dnsviz probe www.adhomepage.com > /dev/null
Analyzing www.adhomepage.com
Analyzing adhomepage.com
Analyzing com
Analyzing .
Analyzing hdredirect-lb5-1afb6e2973825a56.elb.us-east-1.amazonaws.com
Analyzing elb.us-east-1.amazonaws.com
Analyzing us-east-1.amazonaws.com
Analyzing amazonaws.com

real    0m1.211s
user    0m0.528s
sys     0m0.061s

Versions

• latest dnsviz - master (82aa568)
• python: 3.7.2
• dnspython: 1.16.0
• m2crypto: 0.30.1
• pygraphviz: 1.5

Additional info

The probe command works fine when using dnsviz 0.6.7 and Python 2

The installation documentation has examples on running the cli version of dnsviz.
How would one setup dnsviz like its running @ dnsviz.net ?

In http://dnsviz.net/d/vheng.nl/WL5hKQ/dnssec/, a leading zero was missing from the second number in a public ECDSA key, yielding a 760 bit key. For algos such as 13 and 14, we can always know the right key length, and perhaps we can point out that this key is really broken.

The same thing goes for sigs - they tend to have a fixed size and when we see a sig (that we might even consider valid!) with the wrong size, it might be nice to point that out.

I'm always wary of running any kind of 'sudo' without knowing what files it plans on touching.

yes, i could read the guts of the setup.py, but is there a summary of where all this will get placed when you run the install.

or - another way to ask the question: can dnsviz be run from the build folder without installing it ?
is there a way to test the the build worked without error ?

(If i try to run './bin/dnsviz probe' i get the error:
Traceback (most recent call last): File "./bin/dnsviz", line 80, in <module> main() File "./bin/dnsviz", line 58, in main import dnsviz.commands

I've just installed dnsviz into a python virtualenv on my MacOSX laptop. Here's the list of installed modules:

$ pip list
Package    Version
---------- -------
appdirs    1.4.3  
dnspython  1.15.0 
dnsviz     0.6.5  
M2Crypto   0.26.0 
packaging  16.8   
pip        9.0.1  
pygraphviz 1.3.1  
pyparsing  2.2.0  
setuptools 34.3.3 
six        1.10.0 
typing     3.6.1  
wheel      0.29.0 

When I try to run any command, I get:

$ dnsviz probe
Traceback (most recent call last):
  File "/tmp/dnsviz/bin/dnsviz", line 92, in <module>
    main()
  File "/tmp/dnsviz/bin/dnsviz", line 74, in main
    mod = importlib.import_module('dnsviz.commands.%s' % command)
  File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/commands/probe.py", line 63, in <module>
    from dnsviz.analysis import WILDCARD_EXPLICIT_DELEGATION, PrivateAnalyst, PrivateRecursiveAnalyst, OnlineDomainNameAnalysis, NetworkConnectivityException, DNS_RAW_VERSION
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/analysis/__init__.py", line 1, in <module>
    from .online import WILDCARD_EXPLICIT_DELEGATION, Analyst, OnlineDomainNameAnalysis, PrivateAnalyst, RecursiveAnalyst, PrivateRecursiveAnalyst, NetworkConnectivityException, DNS_RAW_VERSION
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/analysis/online.py", line 50, in <module>
    import dnsviz.query as Q
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/query.py", line 54, in <module>
    from .response import *
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/response.py", line 54, in <module>
    from .util import tuple_to_dict
  File "/tmp/dnsviz/lib/python2.7/site-packages/dnsviz/util.py", line 37, in <module>
    from .config import DNSVIZ_SHARE_PATH
ImportError: No module named config

Looks like dnsviz is trying to load stuff from a module file called "config", but there's no such file in the dnsviz directory.

Reproduce with:

_sidn._dnssec-valcheck-20181105.Z-1555758588.caravanmover-professionals.nl.

Or see:

http://dnsviz.net/d/_sidn._dnssec-valcheck-20181105.z-1555758588.caravanmover-professionals.nl/W-FlRA/dnssec/

Commandline version gives;

/usr/local/Cellar/dnsviz/0.6.7/libexec/lib/python2.7/site-packages/dnsviz/response.py",
line 1054, in init
assert rrset.name not in self.rrsets

I use DNSsec algorithm 13 with ECDSA curve p256 with sha256.
The key length is not shown right.
Check for emaple on http://dnsviz.net/d/73.fi/dnssec/

Version: dnsviz 0.8.2 on FreeBSD
When I generate report like this:
dnsviz probe -d 0 -o report.json -A example.com
and then I try to analyze it like this:
dnsviz grok -r report.json
then this second step crashes for some reports every time and works for others.
Here is traceback.zip.
I can send failing report, if requested.

When dnsviz performs a DS record lookup against a server that doesn't support DNSSEC (and therefore gets a referral), dnsviz reports:

The Authoritative Answer (AA) flag was not set in the response.
No SOA RR was returned with the NODATA response.

This is confusing, as the server is not returning a NODATA response. dnsviz should instead have text that indicates a referral was received rather than a NODATA response.

[root@23beedbfd2bf dnsviz]# /usr/bin/dnsviz probe -A -d 3 -4 dnssec-failed.org
Error analyzing dnssec-failed.org
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/dnsviz/commands/probe.py", line 146, in _analyze
a = cls(name, dlv_domain=dlv_domain, try_ipv4=try_ipv4, try_ipv6=try_ipv6, client_ipv4=client_ipv4, client_ipv6=client_ipv6, query_class_mixin=query_class_mixin, ceiling=c, edns_diagnostics=edns_diagnostics, explicit_delegations=explicit_delegations, stop_at_explicit=stop_at_explicit, odd_ports=odd_ports, extra_rdtypes=extra_rdtypes, explicit_only=explicit_only, analysis_cache=cache, cache_level=cache_level, analysis_cache_lock=cache_lock, transport_manager=tm, th_factories=th_factories, resolver=resolver)
File "/usr/lib/python2.7/site-packages/dnsviz/analysis/online.py", line 1072, in init
self.local_ceiling = self._detect_ceiling(ceiling)[0]
File "/usr/lib/python2.7/site-packages/dnsviz/analysis/online.py", line 1163, in _detect_ceiling
ans = self.resolver.query_for_answer(ceiling, dns.rdatatype.NS, dns.rdataclass.IN)
File "/usr/lib/python2.7/site-packages/dnsviz/resolver.py", line 423, in query_for_answer
response, server = self.query(qname, rdtype, rdclass)
File "/usr/lib/python2.7/site-packages/dnsviz/resolver.py", line 411, in query
l = self._query(qname, rdtype, rdclass, 0, self.SRC_NONAUTH_ANS)
File "/usr/lib/python2.7/site-packages/dnsviz/resolver.py", line 551, in _query
a_rrset = self._query(ns_name, a_rdtype, dns.rdataclass.IN, level + 1, self.SRC_ADDITIONAL, starting_domain=sd)[-2]
File "/usr/lib/python2.7/site-packages/dnsviz/resolver.py", line 564, in _query
q.execute(tm=self._transport_manager, th_factories=self._th_factories)
File "/usr/lib/python2.7/site-packages/dnsviz/query.py", line 1468, in _func
return func(self, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/dnsviz/query.py", line 1478, in execute
self.execute_queries(self, ignore_queryid=ignore_queryid, tm=tm, th_factories=th_factories)
File "/usr/lib/python2.7/site-packages/dnsviz/query.py", line 1427, in execute_queries
raise SourceAddressBindError('Unable to bind to local address (%s)' % (errno.errorcode[errno1]))
SourceAddressBindError: Unable to bind to local address (EADDRNOTAVAIL)

I tested the same docker container on docker on centos 7 host and there I did not have this issue. The container itself is the official docker centos 7 from dockerhub. I tested to run bind and httpd in the same container and they had no problems binding to a port. Please advise.

(I have no issue on docker for mac when I do not use the -A option)

Docker for mac version:
Version 17.12.0-ce-mac49 (21995)

Thanks

This happens on dnsviz==0.9.0, but not on 0.8.2 so something has changed between these tags.

>>> graph.main(['graph', '-Thtml', '-O', '-r', '/tmp/probe_out.json'])                                                                                                 Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/commands/graph.py", line 464, in main
    name_obj.populate_status(arghelper.trusted_keys, supported_algs=arghelper.args.algorithms, supported_digest_algs=arghelper.args.digest_algorithms, validate_prohibited_algs=arghelper.args.validate_prohibited_algs)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/offline.py", line 863, in populate_status
    self._populate_status(trusted_keys, supported_algs, supported_digest_algs, is_dlv, None, follow_mx)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/offline.py", line 837, in _populate_status
    self._populate_nxdomain_status(supported_algs)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/offline.py", line 2402, in _populate_nxdomain_status
    supported_algs)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/offline.py", line 2279, in _populate_negative_response_status
    self._populate_rrsig_status(query, soa_rrset_info, self.get_name(soa_owner_name), supported_algs, populate_response_errors=False)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/offline.py", line 1580, in _populate_rrsig_status
    rrsig_status = Status.RRSIGStatus(rrset_info, rrsig, None, zone_name, fmt.datetime_to_timestamp(self.analysis_end), supported_algs)
  File "/home/rithvik/.pyenv/versions/HSEnv/lib/python3.7/site-packages/dnsviz/analysis/status.py", line 230, in __init__
    if self.dnskey.rdata.algorithm in DNSKEY_ALGS_VALIDATION_PROHIBITED:
AttributeError: 'NoneType' object has no attribute 'rdata'

Trying to trace the code, I think it's this commit (lines selected): 992baac#diff-1e33847313500796d7f40588ef54bc13df321fbae972af733d9da7bd00fbf76fR228-R229

If self.dnskey is None, (as passed by dnsviz/analysis/offline.py, line 1580), then a few lines later, self.dnskey.rdata.algorithm must not be accessed.

yes, i know they are documented in the README, but the installer should croak if the pre-requisites aren't met.

Hi there,

Recently, Ballot 125 of the CA/Browser Forum was passed, which means every CA will need to check for CAA records somewhere in the future.

Some CA's do this already, like Let's Encrypt. Unfortunately, some users have troubles regarding CAA records.

The dnsviz site, which is build upon this software, is a very helpful tool for this, as many times DNSSEC errors or other troublesome circumstances are the reason for this.

Unfortunately, at the moment it isn't possible to explicit select CAA records on the site (the "Advanced" methods of the site has helped me in the past) and as far as I could tell from the source code of this repo, there isn't CAA record support yet.

The CAA record was added to dnspython in version 1.13.0.

Therefore my request to add CAA record support 🙂

Related issue for the dnsviz site: dnsviz/dnsvizwww#2

I'm trying to fetch notices (warnings and errors) using installed locally dnsviz binary.
As an example: http://dnsviz.net/d/news.sabay.com.kh/dnssec/ it reports 2 errors and 6 warnings (2018-12-25 14:35:24 UTC).
I'm trying with:
$ dnsviz probe news.sabay.com.kh >news.sabay.com.kh.json
$ dnsviz grok <news.sabay.com.kh.json
How does it work. Am I missing something?

It would be great if dnsviz could add an NSID EDNS option to queries, and include that information in the "/responses/" tab. By that way, we can identify node issues in anycasted servers.
Thanks a lot, it's a wonderful tool!

Hi, I did a KSK algorithm rollover for the zone 6v6.de. My DNS server (knot) does this automatically and follows RFC6781 4.1.4 for KSK algorithm rollovers. After the new KSK was introduced it looked like it only signed itself:
http://dnsviz.net/d/6v6.de/W9AmtA/dnssec/

When in reality the new KSK signed all DNSKEYs in the zone (as it should). This only became visible after the parent introduced the new algorithm DS:

http://dnsviz.net/d/6v6.de/W9Ar5Q/dnssec/

I would have expected that the signature from the new KSK over the whole DNSKEY set would be visible even before the DS change.

I have seen quite a few errors of this nature recently.

./DNSKEY: No response was received from the server over UDP (tried 4 times). (192.112.36.4, UDP_0_EDNS0_32768_512)

how reliable is it for those using DNSSEC if G.ROOT-SERVERS.NET and possibly others have faults like these?

Hello folks,

I want to know if it´s possible to know the id, using the tool dnsviz, ex:

dnsviz probe example.com

From the gui interface the search: http://dnsviz.net/d/dnsviz.net/dnssec/ return a DNSKEY =id 28345.

Thanks in advance,
Luis

I have a recursive resolver listening on 127.0.0.1:5350 that works with dig as expected:

$ dig @127.0.0.1 -p 5350 proofofconcept
;; QUESTION SECTION:
;proofofconcept.                        IN      A

;; ANSWER SECTION:
proofofconcept.         19466   IN      A       142.93.115.133

;; Query time: 95 msec
;; SERVER: 127.0.0.1#5350(127.0.0.1)

But when passing this to dnsviz probe with -s, it only uses 127.0.0.1:53 (the default port, not the one passed in arg).

For this to be tested, I've opened port 5350 on my VM and will keep it open for now.

# dig works as expected and returns A record
dig @40.113.229.250 -p 5350 proofofconcept

# dnsviz tries to access port 53 of that IP and fails
dnsviz probe -s 40.113.229.250:5350 proofofconcept

Feature request:

Now that CDNSKEY and CDS support has been deployed by one or two registries and some DNS services, it would be neat if DNSViz supported it too.

Simple option:

• Query for and display CDNSKEY and CDS by default.

More complicated:

• Warn if they don't match the current DS records?

• Error if applying them would produce DS records that would make the zone bogus.

PowerDNS auth 4.0.0-4.0.3 (fixed in 4.0.4) would mess up NSEC records for 0x20 (random casing) queries. We've had trouble getting people to upgrade because 'dnsviz is happy'. Could dnsviz perhaps (additionally?) randomise case in its queries to detect this failure? I'm pretty sure we're not the only one to have done broken things in this area.

Example domains:

ed25519.nl (algo 15)
dnssec-check.nl (algo 16)

Be more specific about why an NSEC record doesn't cover. Specifically, show a different error if the problem is that a name in the NSEC record is a subdomain of the name being covered (e.g., ENT).

This only applies to zones that have "deep" labels like. _dns._tcp.example.com

in this case _tcp is a empty non-terminal i.e. no records exist at it
Right answer for _tcp.example.com is "empty answer"
wrong answer includes Time-out, NXDomain, Refused, SERVFAIL

sometimes hard to detect when there is a wild card so check with multiple RRtypes
after support for the RRtype's has been established

OpenSSL 1.1.0 no longer ships with GOST; it's in an external engine.

The attempts to handle this absence in dnsviz are failing, see below. Further, these failed before trying OpenSSL 1.1.0, with however Ubuntu Xenial is configuring their OpensSL 1.0.2g, and failed identically.

With brutal surgery to dnsviz/crypto.py to remove all gost-handling functions and methods, and change both validate_ds_digest() and validate_rrsig() to raise Exception() if they're somehow called on gost data anyway, I can now run dnsviz probe mx.spodhuis.org and have it work instead of failing out on me.

% dnsviz probe mx.spodhuis.org
Traceback (most recent call last):
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/bin/dnsviz", line 106, in <module>
    main()
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/bin/dnsviz", line 88, in main
    mod = importlib.import_module('dnsviz.commands.%s' % command)
  File "/home/dnsviz/.pyenv/versions/3.6.4/lib/python3.6/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 994, in _gcd_import
  File "<frozen importlib._bootstrap>", line 971, in _find_and_load
  File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/commands/probe.py", line 63, in <module>
    from dnsviz.analysis import WILDCARD_EXPLICIT_DELEGATION, PrivateAnalyst, PrivateRecursiveAnalyst, OnlineDomainNameAnalysis, NetworkConnectivityException, DNS_RAW_VERSION
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/analysis/__init__.py", line 1, in <module>
    from .online import WILDCARD_EXPLICIT_DELEGATION, Analyst, OnlineDomainNameAnalysis, PrivateAnalyst, RecursiveAnalyst, PrivateRecursiveAnalyst, NetworkConnectivityException, DNS_RAW_VERSION
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/analysis/online.py", line 50, in <module>
    import dnsviz.query as Q
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/query.py", line 54, in <module>
    from .response import *
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/response.py", line 51, in <module>
    from . import crypto
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/crypto.py", line 163, in <module>
    _check_gost_support()
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/crypto.py", line 98, in _check_gost_support
    _gost_init()
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/dnsviz/crypto.py", line 135, in _gost_init
    gost = Engine.Engine(b'gost')
  File "/home/dnsviz/.pyenv/versions/dnsviz-3.6.4/lib/python3.6/site-packages/M2Crypto-0.29.0-py3.6-linux-x86_64.egg/M2Crypto/Engine.py", line 32, in __init__
    self._ptr = m2.engine_by_id(id)
TypeError: in method 'engine_by_id', argument 1 of type 'char const *'

http://dnsviz.net/d/www.stadsmuseum.nl/WgmyGg/dnssec/ - this name is currently considered bogus by Unbound, PowerDNS, Knot, and Google Public DNS. Querying for 'DS www.stadsmuseum.nl' indeed does not yield a correct proof of insecurity for the child zone - instead it returns this:

;; ANSWER SECTION:
www.stadsmuseum.nl.	300	IN	CNAME	stadsmuseum.nl.
www.stadsmuseum.nl.	300	IN	RRSIG	CNAME 13 3 300 20171123000000 20171102000000 45942 stadsmuseum.nl. DfZytI5utWG3CXAsoFj4Uq35ZN7Zpl3FvSwL6XMaN5vFYfbhCZBeUcBG oZ7K6jaYRw0w/r6B7TUxsxOTfwQoGg==

Perhaps the CNAME 'at apex' is confusing DNSViz?

Would be nice to have some requirements information in terms of python modules that need to be installed, and python version.

I'm fumbling through setting this up, and will eventually guess the right requirements (and may submit a proposed merge to README.md):

~/dev/dnsviz$ python2.7 ./setup.py 
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
   or: setup.py --help [cmd1 cmd2 ...]
   or: setup.py --help-commands
   or: setup.py cmd --help

error: no commands supplied

~/dev/dnsviz$ sudo python2.7 ./setup.py 
Traceback (most recent call last):
  File "./setup.py", line 54, in <module>
    'dnspython (==1.11)',
  File "/usr/lib/python2.7/distutils/core.py", line 112, in setup
    _setup_distribution = dist = klass(attrs)
  File "/usr/lib/python2.7/distutils/dist.py", line 259, in __init__
    getattr(self.metadata, "set_" + key)(val)
  File "/usr/lib/python2.7/distutils/dist.py", line 1218, in set_requires
    import distutils.versionpredicate
  File "/usr/lib/python2.7/distutils/versionpredicate.py", line 5, in <module>
    import operator
ImportError: /usr/lib/python2.7/lib-dynload/operator.so: wrong ELF class: ELFCLASS32

For pre DNSSEC delegation purposes it would be a neat feature if you provide a DS and test if it would match the DNSKEY in the zone.

Hello,

I get following errors; I could not manage the solve what cause this errors.

./DNSKEY: No response was received from the server over UDP (tried 12 times). (192.36.148.17, UDP_0_EDNS0_32768_57)

./DNSKEY: No response was received from the server over UDP (tried 4 times). (192.36.148.17, UDP_0_EDNS0_32768_512)

com/DS (alg 8, id 30909): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (192.36.148.17, UDP_0_EDNS0_32768_4096)

com/DS (alg 8, id 30909): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (192.36.148.17, UDP_0_EDNS0_32768_4096)

root@server:~# dig @127.0.0.1 +short rs.dns-oarc.net txt
rst.x490.rs.dns-oarc.net.
rst.x461.x490.rs.dns-oarc.net.
rst.x466.x461.x490.rs.dns-oarc.net.
"Tested at 2017-03-08 19:19:02 UTC"
"139.162.146.144 sent EDNS buffer size 512"
"139.162.146.144 DNS reply size limit is at least 490"
root@server:~#

root@server:~# dig +short rs.dns-oarc.net txt
rst.x4090.rs.dns-oarc.net.
rst.x4058.x4090.rs.dns-oarc.net.
rst.x4064.x4058.x4090.rs.dns-oarc.net.
"139.162.130.22 DNS reply size limit is at least 4090"
"139.162.130.22 sent EDNS buffer size 4096"
"Tested at 2017-03-08 19:20:26 UTC"
root@server:~#

Sincerely,

https://github.com/dnsviz/dnsviz/blob/master/dnsviz/analysis/status.py#L1250
https://github.com/dnsviz/dnsviz/blob/master/dnsviz/analysis/status.py#L1256

Here is looks like dnsviz checks the "Closest Encloser hash" is covered by the NSEC3, whereas i believe the RFC requires to check the the label that is being requested in order to comply with https://tools.ietf.org/html/rfc5155#section-7.1

o Each empty non-terminal MUST have a corresponding NSEC3 RR, unless
the empty non-terminal is only derived from an insecure delegation
covered by an Opt-Out NSEC3 RR.

so for example

example.xx.yy

yy is a signed tld covered by an NSEC3 record
xx is a "empty non-terminal", so is not delegated (no ns records), so as per the rfc it requires an NSEC3 record, however in this example it doesn't have a NSEC

example.xx.yy is an unsigned delegation

Currently this scenario passes in dnsviz, however i think it is a false positive.

It would be better to have an explicit test (may be in setup.py), in order to produce a better error message:

% dnsget bortzmeyer.org > ../bortzmeyer.org.json
Traceback (most recent call last):
  File "/local/bin/dnsget", line 37, in <module>
    from dnsviz.analysis import Analyst, DomainNameAnalysis, get_client_addresses, NetworkConnectivityException, _resolver
  File "/usr/local/lib/python2.7/dist-packages/dnsviz/analysis.py", line 43, in <module>
    import crypto
  File "/usr/local/lib/python2.7/dist-packages/dnsviz/crypto.py", line 33, in <module>
    from M2Crypto import DSA, EC, Engine, EVP, m2, RSA
ImportError: No module named M2Crypto

dnspython 2 needs /etc/resolv.conf , and openSUSE has 'eradicated' that. The result is rather odd here

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/dnsviz/commands/probe.py", line 153, in _analyze
    return a.analyze()
  File "/usr/lib/python3.8/site-packages/dnsviz/analysis/online.py", line 1513, in analyze
    return self._analyze(self.name)
  File "/usr/lib/python3.8/site-packages/dnsviz/analysis/online.py", line 2368, in _analyze
    self._analyze_name(name_obj)
  File "/usr/lib/python3.8/site-packages/dnsviz/analysis/online.py", line 2403, in _analyze_name
    servers = name_obj.zone.get_auth_or_designated_servers()
AttributeError: 'NoneType' object has no attribute 'get_auth_or_designated_servers'

Debugging it a bit

$ ./bin/dnsviz probe example.com
Analyzing example.com
Error analyzing example.com
Traceback (most recent call last):
  File "/home/jayvdb/projects/dns/dnsviz/dnsviz/commands/probe.py", line 159, in _analyze
    return a.analyze()
  File "/home/jayvdb/projects/dns/dnsviz/dnsviz/analysis/online.py", line 1514, in analyze
    return self._analyze(self.name)
  File "/home/jayvdb/projects/dns/dnsviz/dnsviz/analysis/online.py", line 2374, in _analyze
    self._analyze_name(name_obj)
  File "/home/jayvdb/projects/dns/dnsviz/dnsviz/analysis/online.py", line 2409, in _analyze_name
    assert name_obj.zone, name_obj
AssertionError: example.com

And is_zone() is False, so .zone is .parent which is the None we see above.

When I move /usr/etc/resolv.conf to /etc/resolv.conf it magically works.

While this is probably a problem for dnspython to improve, very likely dnsviz can better detect that dnspython is broken and fail in a more user-friendly way.

Hey, I received the following error while inspecting my domain. I'm having a hard time figuring out if the issue is with the root servers, the site or my settings.

The issue:
com/DS: No response was received from the server over UDP (tried 12 times). (192.228.79.201, 193.0.14.129, 199.9.14.201, UDP_-_NOEDNS_)

The test in question

Sincerely,
Daniel Naaman

When installing the software:

% sudo python setup.py install
...
running install_data
creating /usr/local/share/doc/dnsviz
copying README -> /usr/local/share/doc/dnsviz
error: can't copy 'COPYING': doesn't exist or not a regular file
% 

File "/Users/peter/projects/powerdns/dnsviz/dnsviz/analysis/offline.py", line 381, in _serialize_response_component_simple
    status = Status.rrset_status_mapping[self.response_component_status[info]]
KeyError: <RRsetInfo: "RRset for mikkeller.nl/A">

Data to reproduce:
https://gist.github.com/Habbie/7e12b9d092a212ba299ed953d3cfabeb#file-a

RFC 4509 section 3 says "Validator implementations SHOULD ignore DS RRs containing SHA-1
digests if DS RRs with SHA-256 digests are present in the DS RRset." (to avoid downgrade attacks). I find no such rule for SHA-384 but it seems to me that the spirit of RFC 4509 would be to do the same (ignoring weak hashing algorithms when a DS with a stronger one is present). Resolver Unbound rejects such weak DS when its "harden-algo-downgrade" option is set to yes. (In some versions, Unbound also rejects them even without this option.)

Today, DNSviz does not report this issue, not even as a warning. See http://dnsviz.net/d/ada.eu.org/WcTxzg/dnssec/