DNSviz NSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
Miscellaneous
COMCAST's
reoport on NASA's signing failure
On January 18, 2012, the NASA.GOV domain had a DNS Security Extensions
(DNSSEC) signing error that blocked access to all NASA.GOV sites when
using DNS recursive resolvers performing DNSSEC validation. As one of
the largest ISPs in the world utilizing DNSSEC validation, users of
Comcast noticed a problem when attempting to connect to the
website. This caused some people to incorrectly interpret this as
Comcast purposely blocking access to NASA.GOV and recommending users
switch from Comcast security-aware DNS resolvers to resolvers not
performing DNSSEC validation. Ironically, the NASA Watch website
suggested it was curious why Comcast chose to block NASA.GOV websites
during the SOPA and PIPA protest day. The DNS resolution issue with
NASA.GOV was not a form of blocking or censoring of the
domain. Instead, the administrators of the NASA.GOV domain had enabled
DNSSEC signing for their domain, and the security signatures in their
domain were no longer valid. The Comcast DNS resolvers correctly
identified the DNSSEC signature errors and responded with a failure to
Comcast customers. This is the expected result when a domain can no
longer be validated, and this protects users from a potential security threat.