[Dnscheck-dev] DNSCheck v1.6.0

Calle Dybedahl calle at init.se
Fri Jan 17 09:17:32 UTC 2014

DNSCheck version 1.6.0 is now available from Github (https://github.com/dotse/dnscheck/tree/1.6.0).

In brief, the new things are:

* Recognizes all DNSKEY algorithms currently registered by IANA.

* Logger can be configured to run a callback in user code when a new message is logged.

* Detects zones using DNSCurve encryption.

* Glue tests much improved.

* Hostname check now detects use of reserved domain names according to RFC 6761.

* The default configuration now uses an ASN lookup service hosted by .SE rather than the one hosted by Team Cymru (the ASN data still comes from Team Cymru, .SE just provides the lookup service).

* ASN check now logs a message if it sees a reserved AS number in use.

On top of this, there is of course numerous bugfixes. There are no known bugs in this release, but there are three types of errors that have been seen in the wild that this DNSCheck version will not detect:

1) A nameserver giving different answers depending on the case of the name being queried for.

2) A nameserver sending response packets containing no RRs except the echoed query).

3) An otherwise working nameserver not sending any responses at all to queries for DNSKEY or RRSIG if the query did not have the DO flag set.

Each of these have been reported exactly once and subsequently fixed, so the problem can no longer be observed. At the moment, it is unlikely that checks for these problem will ever be added to this incarnation of DNSCheck.

In other news, a project to re-write DNSCheck from the ground up with better architecture and clear test specifications is under way. It’s a cooperation between .SE and AFNIC, and the current plan is to reach feature parity with DNSCheck by October this year (2014). We hope to make the new code available for test and comment very soon.

Calle Dybedahl
calle at init.se -*- +46 703 - 970 612

More information about the Dnscheck-dev mailing list