DNS Test Names & Resource Records

I am testing a lot with my own DNS servers as well as with third-party DNS implementations such as DNS proxies on firewalls, DNSSEC validation on resolvers, etc. While there are a number of free DNS online tools around the Internet I was lacking some DNS test names with certain properties or resource records. Hence I configured a couple of them on my own authoritative DNS servers and its zone weberdns.de.

For example, we encountered a bug on the Palo Alto DNS proxy that has not stored the TTL value correctly – hence some test names with different TTL values. Or we had some problems when a single DNS name has more than 15 IPv4/IPv6 addresses – hence some test names with lots of addresses. And many more:

This blogpost is part of a series about DNSSEC. Refer to this list for all articles.

Prenotes

  • All names are within the weberdns.de zone. That is, always consider this domain as a suffix for all test names.
  • My zone is DNSSEC signed with NSEC records. If you are interested in all of my names simply walk the zone by yourself. ;)
  • Almost every test name has an AAAA as well as an A record. These are almost always from the “Address Prefix/Blocks Reserved for Documentation”, i.e., RFC 3849 for IPv6 and RFC 5737 for legacy IP.
  • Note that all names and entries are fully correct due to the RFCs. There aren’t any false names or resource records such as wrong IP addresses, too-long TTLs, incorrect DNSSEC signatures, etc.
  • This blogpost does NOT cover any possible DNS test case nor does it use any available RR. If you have any suggestions for more entries please write a comment below!
  • Refer to the Domain Name System (DNS) Parameters from IANA or to this list of DNS record types on Wikipedia for any details about DNS resource records, etc.

Ok, let’s go:

TTL (Time to Live)

TTL values are between 0 and 2147483647 seconds, RFC 2181, section 8. My test entries:

  • ttl-0s.weberdns.de with a TTL of 0 seconds
  • ttl-1s.weberdns.de with a TTL of 1 second
  • ttl-1m.weberdns.de with a TTL of 1 minute
  • ttl-30d.weberdns.de with a TTL of 30 days
  • ttl-52w.weberdns.de with a TTL of 52 weeks
  • ttl-max.weberdns.de with a TTL of 2147483647 = 68 years (!)

When testing several DNS resolvers such as Google Public DNS, OpenDNS and some own servers with dnseval you can see the differences in the TTL handling. Some have a hard upper limit at 86400 while OpenDNS answers with a 0. Only my own Unbound DNS resolver answered correctly with 2147483647. (You have to scroll rightward to see the TTL column.)

Note that these TTL test names will possibly have wrong DNSSEC signatures some day since my KSK/ZSK key rollovers appear more often than every 68 years. ;) Some tools such as DNSViz point to that possible problem:

CNAME Loops/Array

Three different CNAME loops, one directly (loop->pool->), another over three records (cnamex->y->z), and an array with 5 consecutive CNAMEs:

Using the standard Linux tool “host” this can look like:

As always, you can use DNSViz to get an idea of it:

Many IP Addresses per Name

I had a bug/feature on the Palo Alto FQDN objects in which I tested these names. It should be pretty clear how many addresses reside behind those names:

In the same way here is a single name that has 10 different RRs with about 30 (!) values in summary (2x AAAA, 2x A, 2x TXT, RP, LOC, 8x SSHFP, APL, 8x CAA, NSEC, 9x RRSIG):

Querying this with “any” looks like that:

Long Names and Subdomains

The longest single name/label can be 63 chars/octets long (RFC 1035, section 2.3.4):

While the longest name at all can be 253 chars/octets, separated in different labels that are 63 chars long (good explanation here: “If you sit down and do the math, you’ll see that the the readable maximum length of an ASCII DNS name is 253 characters.”):

If you only want to test a few subdomains (without these long labels):

 

Umlaute

Ö” by annchristin licensed CC BY-SA 2.0

In Germany we do not have only 26 characters but 30. ;) Following are a few internationalized domain names (IDN) from a couple of european character sets. There are many IDN Web Converter tools out there to generate them. A test case for many DNS related servers is the correct transformation into the ASCII text presentation of these names. (Almost all of the following names have a TXT record that give a short description about its meaning. Just for fun.)

Note that not all DNS lookup tools provide the transformation into IDNs. For example, nslookup won’t:

While it will work if you’re asking after the transformation directly:

 

Other RRs

A few well-known and not-so-well-known RRs:

  • AAAA: aaaa.weberdns.de
  • A: a.weberdns.de
  • CNAME: cname.weberdns.de
  • TXT: txt.weberdns.de
  • SRV (Location of Services, RFC 2782): _sip._tcp.weberdns.de
  • APL (Lists of Address Prefixes, RFC 3123): ip-documentation.weberdns.de
  • RP (Responsible Person, RFC 1183): host-dane-self.weberdns.de
  • HINFO (host information, RFC 883, RFC 1700): host-dnssec.weberdns.de

The zone itself weberdns.de can be queried for the following records:

  • SOA
  • NS
  • MX
  • CAA (DNS Certification Authority Authorization, RFC 6844)
  • LOC (Location Information, RFC 1876)

Example with dig:

 

DNSSEC related RRs

The following DNSSEC related RRs can be queried through the zone as well:

  • DNSKEY at weberdns.de (shows at least one “257” KSK and one “256” ZSK)
  • DS for weberdns.de (this RR is NOT stored at my zone itself but on the parent zone)
  • RRSIG for any name, e.g. for a.weberdns.de which shows the RRSIG for its “A” and “NSEC” record
  • NSEC for any name, e.g. for a weberdns.de which points to aaaa.weberdns.de

A demo run of these four queries is listed below:

Note that I don’t have any NSEC3 resource records in this zone since it’s signed with NSEC and not NSEC3. However, I have another zone called sshfp.net which uses NSEC3. Hence you can query the following RRs there:

  • NSEC3PARAM on sshfp.net
  • NSEC3 on any non-existent domain name such as foobar.sshfp.net. Note that the NSEC3 RR cannot (!) be queried directly. It only shows up when requesting some non-existent names.

Demo run:

With a working DNSSEC environment you can use the following additional DNS RRs:

Schlüssel II” by Susanne Winter is licensed under CC BY-SA 2.0
  • TLSA (DNS-Based Authentication of Named Entities, RFC 6698):
    _25._tcp.mail.weberdns.de
  • SSHFP (SSH Key Fingerprints, RFC 4255):
    ns1.weberdns.de
  • OPENPGPKEY (DANE for OpenPGP, RFC 7929): I have a 2048 bit OpenPGP key for the test mailaddress johannes@weberdns.de (which is NOT my actual mailaddress). Since OPENPGPKEY uses the first 28 octets from the SHA-256 hashed local-part of the mailadress you can query the following name for its OPENPGPKEY resource record: 1d4b41c9db9172e5f151e4a5fe3c57ca3f98b8e6ba807450b10d1897._openpgpkey.weberdns.de. For a 4096 bit OpenPGP public key you can use the following mail address ludwig@weberdns.de which has a DNS name of: faae1b97e57e3e121216948b8dda2a429ea72d6dd81c164f227dc6a1._openpgpkey.weberdns.de

Demo:

FIN.

Am I missing something? Please write a comment below!

Links

Featured image: “Umlauts” by Nina Stössinger is licensed under CC BY-SA 2.0.

One thought on “DNS Test Names & Resource Records

  1. thanks for hosting this :)

    the other reason for my coment is a problem i witnessed with Umlauten in computer names. In my homelab i use a PAN FW with DHCP server enabled.

    one day, i had a dhcp client, which had Umlate in his computername. (don’t ask!)
    At this time i couldn’t display the DHCP leases on this subnet in the GUI.
    Over the CLI i saw special characters in my leases. :D

Leave a Reply

Your email address will not be published. Required fields are marked *