На главную страницу  
+7 (499) 124-62-26
О компании Продукты Демо-версии Купить Цены Контакты Решения
OpenVPN-ГОСТ
КриптоСервер
КриптоТуннель
Защита RDP
КриптоПакет
"Вьюга"

MAGPRO DNS.

USING «DRILL» FOR TESTING RESOLVERS AND DNS-SERVERS SUPPORTING DNSSEC

drill is a tool for querying Domain Name System (DNS) name servers for any desired DNS records.

drill is a part of the LDNS project by NLnet Labs. Drill is an analogue of the dig program from BIND DNS-server project by ISC.

Invoke drill with full path or add its location to the PATH environment variable in the proper way.

$ drill -D @xx.xx.xx.xx www.m-system.net

xx.xx.xx.xx is an IP address of your resolver meant to support GOST.

After this command execution the answer should contain the 'ad' flag — authenticated data.

If the 'ad' flag is absent while you request existing address from domain in trust chain or domain which key has been added to trusted keys, something is wrong.

The answer 'SERVFAIL' in common cases means that the signature is absent or wrong.

$ drill -D -o cd @xx.xx.xx.xx www.m-system.net

xx.xx.xx.xx is an IP address of your resolver which should support GOST.
This command screens data anyway (wrong signature or another errors).


Hints to test DNSSEC

A query asked for valid data from any recursor will provide the RRset in response
A query asked for non-signed data from any recursor will provide the RRset in response
A query asked of a validating recursor for modified or invalid data will return SERVFAIL
Applications (and users) will see this as domains that «vanish»
A header bit (CD) will allow invalid data to be passed anyway


MagPro DNS

Installing and configuring OpenSSL 1.0.0

Installing and using BIND with DNSSEC and GOST support

Signing a zone with «dnssec-signzone»

Checking DNSSEC with the «dig» utility

Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support

Signing a zone with «ldns-signzone»

Checking DNSSEC with the «drill» utility

DNSSEC FAQ

 
Copyright © ООО "Криптоком". 2001-2016. All Rights Reserved.