×

Who Ya Gonna Call for DNS issues?

News 02-11-2016

By Sandoche Balakrichenan (Afnic) - When you are sick, who you are going to call? The most appropriate answer is your doctor. To identify the health issues, the doctor conducts a certain number of tests. The tests results are matched to certain coefficients based on scientific recommendations. For example, one has fever, if his/her temperature is above a certain threshold either in Celsius or Fahrenheit.

When we have an issue with a domain name, who you are going to call? The obvious answer is a DNS validation tool. The tool runs a certain number of tests. As in the case of fever, the results of the tests are matched with recommendations/guidelines[1], to ascertain the healthiness of the particular domain.

Fig: 1 An analogy between tests run for human beings (left) and DNS (right)

There are a number of DNS validation tools. Some are focused on certain issues, while others conduct really extensive checks on DNS delegation correctness, and Zonemaster falls under this category.

About Zonemaster

The “Zonemaster[2]” project is a collaboration between two ccTLD[3] organisations: Afnic (.fr registry) and IIS (.se registry). The vision for these two organisations is to develop a tool that is recognised as the reference "DNS validation tool".

This project is comprised of different functional blocks (Fig: 2)

  • The engine - is the core component which includes the source code; for the test framework, to run different tests, to output the tests in different format (html, JSON, text etc.) and different languages (currently in English, French and Swedish)
  • The CLI (Command Line Interface) - will enable users to provide as input basically a domain name and if needed additional commands, and call the engine to run the tests and report results from a command line console.
  • The backend - provides an API (Application programming Interface) to run tests on a single or a batch of domains and also the capability to store the results in a database, which makes it possible to refer or go back to a previous test.
  • The GUI (Graphical User Interface) - will enable users to provide input (basically a domain name) and if needed additional options, and call the engine to run the tests and report results from a web interface.

Currently, all components of the Zonemaster project can be installed on Ubuntu, Debian, CentOS and FreeBSD operating systems.

An entire repository of this project is dedicated to documentation[4], which includes the requirements and specifications on how the tests are run. The documentation enables the users to know exactly what, why and how the tests that are run, to validate a domain name. The test specifications of the Zonemaster project has been used as input by the TRTF[5] group (aimed to create a set of best current practices documents for evaluating the quality of a DNS delegation) at CENTR and the output from this WG is the Internet draft[6], which will be further discussed at the IETF.

The icing on the cake is that all the source code developed as part of this project is under BSD-2, and the documentation is under creative common attribution license[7], which enables anyone to re-use them for their internal use without any restriction.

How the Zonemaster tool is useful for me?

The “me” in the subtitle can be different entities - a domain administrator, a domain user, a company with a portfolio of domains, a registry, a registrar, etc.

Fig: 2 The Public Web interface "www.zonemaster.net" – no installation required (left top), the CLI version with engine and CLI installed locally (right top) and the local version with the backend and the GUI installed locally in addition to the engine and the CLI

A basic user who does not have enough DNS expertise will use Zonemaster to verify whether the health of his/her domain is perfect or, in case there is an issue, use the results of the test to resolve the issue either by him/herself or with the help of someone who has the know-how. In this case, the basic user will use the web interface “www.zonemaster.net” to run the test and obtain the results. This is like a patient doing a complete health check, and being satisfied when no anomaly is detected.

Users with DNS know-how and needing more flexibility would prefer to use the CLI. In this case, the user needs to install the engine and the CLI. Similar to the case of a doctor who has specialised equipment, to analyse further the anomaly identified from a health check result.

Just as the use-case of having a health history of a patient, identified by a unique health insurance number (in our case, the domain name), there is a possibility of storing the result history of domain tests in a database. This functionality is provided by the back-end. For a basic user, this functionality is accessible by clicking the history button in the public web interface after having provided the domain name as input; since the back-end facility is provided by the Zonemaster project. However, there are requirements for having one’s own database (for e.g. for a registry or a company with a portfolio of domains who want to run tests, store the results in their own database and use the results for debugging or any other applications). In that situation, in addition to the engine and the CLI, the back-end has to be installed.

There are further advantages from Zonemaster tool for an advanced user or organisation. One can use the back-end API[8] to run tests for a batch of domains. This saves considerable amount of time for a company with a portfolio of domains or a registry which would like to have a periodic health scan of all the domains in its zone.

Along the lines of health check for human beings, it may be deemed necessary to concentrate on certain tests rather than running a complete health check. This is possible in Zonemaster, where the user can customize the type of tests to be run on a domain[9]. In addition, one can add filters[10] to downgrade or upgrade the results of certain tests for a particular nameserver/IP address of a domain.

Afnic and IIS message

From the beginning, we have made an analogy between the tests for a domain with the health tests for a human being. The reason is that we are convinced that DNS validation tests are as important for the Internet and the DNS community as it is in the case of health tests for a patient.

There has been interest from the DNS community in using Zonemaster. Registries like CIRA have already their local Zonemaster set up and Afnic and IIS will soon have their local versions. CENTR is considering recommending Zonemaster to its community to run their own scans and sending the results to CENTR, which in turn will be used to publish visualised statistics.

Afnic and IIS have been working on the Zonemaster project officially for two years, and our plan is to support it in the future. Open to community contributions, we would welcome you to use the tool and participate in making Zonemaster, the reference DNS validation tool.

CENTR message to its community

CENTR has surveyed members on topic of zone scans and are considering capturing data on DNS quality (using Zonemaster), which could be visualised in interactive charts on the CENTRstats platform. The objective would be to provide the following service: market level statistics on DNS quality (including time series trends), allow for benchmarking between TLDs or to run scans on TLDs that do not have time/resources to do so themselves. For more information, contact This email address is being protected from spambots. You need JavaScript enabled to view it. 

[1] The recommendations could be from RFC https://www.ietf.org/rfc.html, Best Current Practices documents or from operational experiences accepted by a large section of the DNS community
[2] https://github.com/dotse/zonemaster/blob/master/README.md
[3] https://en.wikipedia.org/wiki/Country_code_top-level_domain
[4] https://github.com/dotse/zonemaster/tree/master/docs
[5]https://github.com/CENTRccTLDs/TRTF
[6] https://tools.ietf.org/html/draft-wallstrom-dnsop-dns-delegation-requirements-02
[7] https://github.com/dotse/zonemaster/blob/697dd262debce9d69cbb3ea10d957f46ba56a278/LICENSE
[8] https://github.com/dotse/zonemaster-backend/blob/master/docs/API.md
[9] https://github.com/dotse/zonemaster-engine/blob/a58ab934d80ec0eea61519ea60a44c538349419d/share/policy.json
[10] When a message with the given tag is added, the arguments for it are compared to the ones given with the filter. If all the provided arguments are string wise equal to the ones logged, the level for that log entry will be set to the one given by the filter. This way, an expected message can be given a different level than other messages of the same type. This way, for example, known false positives can be suppressed.
Published By