3
\usepackage[english]{babel}
4
\usepackage[latin1]{inputenc}
5
\usepackage[T1]{fontenc}
6
\usepackage{bortzmeyer-utils}
8
\title{Zonecheck, testing a DNS zone}
9
\author{St�phane Bortzmeyer\\AFNIC ("\texttt{.fr}" registry)\\\texttt{bortzmeyer@nic.fr}}
10
\date{16 november 2006}
12
%\setlength{\parskip}{1ex plus 0.5ex minus 0.2ex}
13
% \setlength{\parskip}{15pt}
14
\setlength{\parskip}{15pt plus 10pt minus 10pt}
24
\begin{frame}[fragile]
25
Permission is granted to copy, distribute and/or modify this document
26
under the terms of the GNU Free Documentation License \url{http://www.gnu.org/licenses/licenses.html#FDL}, Version 1.2
27
or any later version published by the Free Software Foundation;
28
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
32
\frametitle{Why test a DNS zone?}
35
\item<2->To make sure it works,
36
\item<3->To make sure it works fast (no timeouts or retransmissions).
39
\begin{block}<4>{It is not because ``it works'' that everything is
40
perfect.}{See Ilya Sukhar's slides about the consequences of bad
41
delegation.}\end{block}
45
\frametitle{The requirements}
46
We started designing the new Zonecheck in 2002 (version 2, a program by
47
the same name, but completely different, existed before).
49
The requirements for the new version were:
52
\item<2->Command-line (so it can be run everywhere) and Web tool,
53
\item<3->Free software,
54
\item<4->General tool, not a small ad-hoc hack,
55
\item<5->Separated policy and engine (more on that later).
61
\frametitle{The result}
63
\item<2->Developed by St�phane d'Alu,
64
\item<3->Written in Ruby,
65
\item<4->Available under the GPL free licence, a very important point,
66
since it allows people to run it at their site and to do the same
67
tests as AFNIC does (administrators of zones under
68
``.fr'' are encouraged to run ZC before submitting their
69
request for creation/modification),
70
\item<5->Hosted at the hosting service Savannah,
71
\item<6->Completely IPv4 and IPv6,
72
\item<7->Used in daily production at AFNIC since.
77
\frametitle{Engine, not policy}
78
\begin{block}{Zonecheck is an engine, not a policy}{This is
79
probably the main feature of Zonecheck: unlike all the other
80
similar tools, the policy is not hardwired in the
83
\only<2->{The code defines all the tests you \emph{can} run, the
84
configuration file defines the subset of the tests that you \emph{do} run and their
85
result (fatal error or just a warning).}
89
\begin{frame}[fragile]
90
\frametitle{Example of configuration}
92
<check name="icmp" severity="w" category="connectivity:l3"/>
93
<check name="udp" severity="f" category="connectivity:l4"/>
94
<check name="tcp" severity="f" category="connectivity:l4"/>
96
\only<2->{A program can translate this configuration file to HTML, for
97
the information of the users.}
101
\frametitle{Using it to check delegations from a registry}
102
AFNIC uses Zonecheck \emph{prior} to every delegation. One fatal error
103
and the domain is not created. (Every name server change triggers a
106
\only<2-3>{The policy is quite strict. A few examples:
108
\item TCP connectivity is mandatory,
109
\item If the server is recursive, a lot of tests occur (such as
110
whether the loopback address is delegated in in-addr.arpa).
114
\only<3->{As a side effect, this creates a
115
large number of support tickets (that may be used to measure the
116
current skills level of some registrars :-) and (without smiley) the
117
current level of competence of many DNS administrators}
119
\only<4->{But it makes a much better zone and strongly diminishes the
120
post-registration complaints of the type ``My site does not work''.}
124
\frametitle{Lessons for IANA checks}
125
Context: IANA asks for comments about delegation checks
126
(\url{http://www.icann.org/announcements/announcement-18aug06.htm}).
128
[Generally speaking, the quality of DNS delegation is a very common
131
\only<2->{Many registries (CENTR, ccNSO) asked that such tests must be clearly
132
described, and executed in a predictable way. An automatic tool,
133
such as Zonecheck, fulfills these requirements.}
135
\only<3->{Remember that using Zonecheck does not mean using AFNIC policy.}
140
\frametitle{Future tests?}
142
\item DNSsec tests (see Eric Osterweil's slides)
143
\item ``OR'' tests: ``at least M among N nameservers'', ``TCP or
149
\frametitle{Other users}
156
\begin{block}<2->{Tomorrow, you?}{\url{http://www.zonecheck.fr/}}\end{block}
added
removed
contrib/presentations/OARC-2006/zonecheck.tex
