RPKI origin validation for resolvers!


Check My DNS can now check if RPKI origin validation is enabled for the resolvers that query it (read caveats below).

RIPE NCC RPKI web test

This all started a month or two ago when I was talking to a former colleague and he asked if Check My DNS could do a RPKI test similar to RIPE NCC’s web tester (hot new thing).


What you need are beacons, as they are called in the web test, which essentially is some service that you can communicate with (HTTPS for web test, DNS for Check My DNS).

Job to the rescue!

Another “issue” that started to become obvious was that I would need addresses to announce and the smallest you can get that would be accepted is a /24 for v4 and /48 for v6.


First thing I needed to do was to extend Check My DNS and I managed to hack together a proxy that relayed the DNS from an external point into the logic of the daemon as if it was answered on site.

RPKI resolver checks

These checks are now available using cmdns-cli, a small Go program that can communicate with Check My DNS.


But where’s the UI?

I only had time to hack this together using cmdns-cli, UI stuff is hard and always takes more time than you think.

To be continued…

Data available for researchers!

As a DNS-OARC member you can get access to all of the raw test data on our analysis servers, if you wish to have access but currently don’t have access to the analysis servers please contact us.

About Check My DNS

Check My DNS is a custom developed DNS nameserver that creates dynamic delegated subdomains to enable clients to query for never-seen-before resource records in order to support a general-purpose framework for testing DNS resolvers.


Job Snijders (NTT) comments:

Domain Name System Operations Analysis and Research Center