RPKI Origin Validation Visibility for Check My DNS
ARIN Community Grant Program Recipient Report
Check My DNS is a custom-developed Domain Name System (DNS) nameserver that supports a general-purpose framework for testing DNS resolvers. Check My DNS is a product of the DNS Operations, Analysis, and Research Center (DNS-OARC), a non-profit, membership organization supported by over 100 different major players in the DNS operations community delivering data gathering, analysis, and software tool development for over fifteen years. With the funding awarded by the ARIN Community Grant Program in October 2020, Check My DNS has been given some much needed updates, including RPKI Origin Validation checking, which allows Internet end-users to verify if the DNS resolver they are using is in IP address space which is RPKI validated.
Overview
Check My DNS analyzes how you use DNS as a client by testing your configured resolvers using your browser and specially crafted domain names, giving results as a graphical summary. It does this by creating dynamically delegated subdomains to enable clients to query for never-before-seen resource records. With these crafted subdomains and the ability to send “wrong” DNS answers, it is possible to analyze the functionality and hopefully tell what RFCs the client’s DNS resolver infrastructure supports. Using an API backend and JavaScript at the client’s browser, Check My DNS can analyze every step of the DNS transaction and provide a full packet trace. While many of the checks are simple checks for transport and protocol support, such as IPv6 and TCP, some are for advanced features like Resource Public Key Infrastructure (RPKI).
In late 2019 our software engineer, Jerry Lundström, got inspired by RIPE NCC’s RPKI web tester, and started to investigate how a RPKI origin validation check for DNS resolver could be possible. With collaboration between OARC, RIPE NCC, NLnet Labs and NTT, we got access to the same system as RIPE NCC’s RPKI web tester to run a proxy for Check My DNS so an RPKI origin validation check could be added. At that time, we did not have the resources to fully add this check to the web User Interface (UI) of Check My DNS, so the check was only accessible via a command line tool. The project’s objective was to add user-friendly visibility of the results of RPKI Origin Validation (OV) checking on OARC’s existing Check My DNS tool.
Project Results
First, Jerry updated all the dependencies. This included the Go version, all Go dependencies, jQuery, Bootstrap, ChartJS and the theme from Bootswatch. He also added “Achievements.” The Achievements can be used to indicate features and functionality, or a collection of them, that might be outside the scope of the rating. For example, the RPKI origin validation checks do not currently affect the rating you get, even if they fail, but this feature still makes good results from them visible.
Achievement Example
Once the achievements functionality was added, Jerry changed the RPKI origin validation check to be included in the default setup of checks, and it is now available for anyone to try out on Check My DNS.
Benefits to the Internet Industry in the ARIN Region
This project added functionality that now allows Internet end-users to verify the extent of RPKI Origin Validation support by their Internet provider. It also allows Internet address registries and operators of RPKI infrastructure to debug and test RPKI OV deployment. Additionally, it makes it possible to gather research data to measure the extent of RPKI OV deployment. This functionality also raises visibility of the possibility and relevance of RPKI OV checking to a wider audience of users in the DNS community.
You can view more information about this project in our blogs:
- 4 Nov 2021: Development Update #2111
- 28 Jan 2021: Development Update #2101
- 11 Nov 2019: RPKI origin validation for resolvers!
Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.
Recent blogs categorized under: Grant Program
GET THE LATEST!
Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.
SIGN ME UP →Blog Categories
Elections • ARIN Bits • IPv6 • Business Case for IPv6 • Fellowship Program • Grant Program • RPKI • Caribbean • Outreach • Public Policy • Training • Updates • IPv4 • Security • Data Accuracy • Internet Governance • Tips • Customer Feedback • IRR