RPKI Origin Validation Visibility for Check My DNS

RPKI Origin Validation Visibility for Check My DNS

By Keith Mitchell – DNS-OARC

ARIN Community Grant Program Recipient Report

Check My DNS is a custom-developed Domain Name System (DNS) nameserver that supports a general-purpose framework for testing DNS resolvers. Check My DNS is a product of the DNS Operations, Analysis, and Research Center (DNS-OARC), a non-profit, membership organization supported by over 100 different major players in the DNS operations community delivering data gathering, analysis, and software tool development for over fifteen years. With the funding awarded by the ARIN Community Grant Program in October 2020, Check My DNS has been given some much needed updates, including RPKI Origin Validation checking, which allows Internet end-users to verify if the DNS resolver they are using is in IP address space which is RPKI validated.

Overview

Check My DNS analyzes how you use DNS as a client by testing your configured resolvers using your browser and specially crafted domain names, giving results as a graphical summary. It does this by creating dynamically delegated subdomains to enable clients to query for never-before-seen resource records. With these crafted subdomains and the ability to send “wrong” DNS answers, it is possible to analyze the functionality and hopefully tell what RFCs the client’s DNS resolver infrastructure supports. Using an API backend and JavaScript at the client’s browser, Check My DNS can analyze every step of the DNS transaction and provide a full packet trace. While many of the checks are simple checks for transport and protocol support, such as IPv6 and TCP, some are for advanced features like Resource Public Key Infrastructure (RPKI).

In late 2019 our software engineer, Jerry Lundström, got inspired by RIPE NCC’s RPKI web tester, and started to investigate how a RPKI origin validation check for DNS resolver could be possible. With collaboration between OARC, RIPE NCC, NLnet Labs and NTT, we got access to the same system as RIPE NCC’s RPKI web tester to run a proxy for Check My DNS so an RPKI origin validation check could be added. At that time, we did not have the resources to fully add this check to the web User Interface (UI) of Check My DNS, so the check was only accessible via a command line tool. The project’s objective was to add user-friendly visibility of the results of RPKI Origin Validation (OV) checking on OARC’s existing Check My DNS tool.

Project Results

First, Jerry updated all the dependencies. This included the Go version, all Go dependencies, jQuery, Bootstrap, ChartJS and the theme from Bootswatch. He also added “Achievements.” The Achievements can be used to indicate features and functionality, or a collection of them, that might be outside the scope of the rating. For example, the RPKI origin validation checks do not currently affect the rating you get, even if they fail, but this feature still makes good results from them visible.

Achievement Example

Achievement Example

Once the achievements functionality was added, Jerry changed the RPKI origin validation check to be included in the default setup of checks, and it is now available for anyone to try out on Check My DNS.

Benefits to the Internet Industry in the ARIN Region

This project added functionality that now allows Internet end-users to verify the extent of RPKI Origin Validation support by their Internet provider. It also allows Internet address registries and operators of RPKI infrastructure to debug and test RPKI OV deployment. Additionally, it makes it possible to gather research data to measure the extent of RPKI OV deployment. This functionality also raises visibility of the possibility and relevance of RPKI OV checking to a wider audience of users in the DNS community.

You can view more information about this project in our blogs:

Post written by:

A photo of Keith Mitchell
Keith Mitchell
DNS-OARC

Keith Mitchell is President of DNS-OARC. In 2012, Keith setup his own company, SMOTI Enterprises Inc., which contracts and contributes his leadership services to a number of Internet engineering nonprofits, including DNS-OARC and UKNOF. From 2008 until 2012 he served as VP of Systems Engineering at the Internet Systems Consortium, where he had responsibility for ISC’s infrastructure and open-source software development. Prior to this at ISC he managed the OARC programme for DNS operators, returning in 2012 to serve as President of the now-autonomous nonprofit OARC Inc. He founded and has been Managing Director of the UK Network Operators Forum (UKNOF) since 2005.

Any views, positions, statements, or opinions of a guest blog post are those of the author alone and do not represent those of ARIN. ARIN does not guarantee the accuracy, completeness, or validity of any claims or statements, nor shall ARIN be liable for any representations, omissions, or errors contained in a guest blog post.

Recent blogs categorized under: Grant Program

GET THE LATEST!  

Sign up to receive the latest news about ARIN and the most pressing issues facing the Internet community.

SIGN ME UP →

Blog Categories

IPv6 •  Business Case for IPv6 •  Internet Governance •  Public Policy •  Elections •  ARIN Bits •  Fellowship Program •  Grant Program •  RPKI •  Caribbean •  Outreach •  Training •  Updates •  IPv4 •  Security •  Data Accuracy •  Tips •  Customer Feedback •  IRR

 

Connect with us on LinkedIn!