Some Additional Links

Delegation Checkers

We talked about a few delegation and zone checking tools. Here is a list of those.
  • The RIPE Delegation Checker advertised to check reverse zones but works for all zones.
  • DNSviz NSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.


  • COMCAST's reoport on NASA's signing failure On January 18, 2012, the NASA.GOV domain had a DNS Security Extensions (DNSSEC) signing error that blocked access to all NASA.GOV sites when using DNS recursive resolvers performing DNSSEC validation. As one of the largest ISPs in the world utilizing DNSSEC validation, users of Comcast noticed a problem when attempting to connect to the website. This caused some people to incorrectly interpret this as Comcast purposely blocking access to NASA.GOV and recommending users switch from Comcast security-aware DNS resolvers to resolvers not performing DNSSEC validation. Ironically, the NASA Watch website suggested it was curious why Comcast chose to block NASA.GOV websites during the SOPA and PIPA protest day. The DNS resolution issue with NASA.GOV was not a form of blocking or censoring of the domain. Instead, the administrators of the NASA.GOV domain had enabled DNSSEC signing for their domain, and the security signatures in their domain were no longer valid. The Comcast DNS resolvers correctly identified the DNSSEC signature errors and responded with a failure to Comcast customers. This is the expected result when a domain can no longer be validated, and this protects users from a potential security threat.
  • 2008-2012 © NLnet Labs
    Click here for copyright notice