Introducing DNS Scope
What is it?
DNS Scope provides the owner, manager or operator of a domain name insight into the configuration and deployment of the corresponding DNS zone. DNS Scope currently uses dnsviz (https://dnsviz.net/) as its default probing, testing and issue detection engine. Additional probes and tests may be available in the future.
What does it do?
The current set of features include, but isn't limited to:
- verifying delegation and identifying possible parent/child NSset mismatches
- determining the state of DNSSEC protection for a zone (SECURE, BOGUS, INSECURE)
- illustrating the various DNSSEC keys and validation path followed
- any issues detected if a chain of trust could not be built.
Reporting and notifications
DNS Scope allows for automated, scheduled testing of one or more zones, at intervals determined by the customer. Results, including historical tests, are then available to view or download. They can also be configured to be emailed, for example, always or just on error.
Scheduling and reporting features include:
- Schedule recurring tests at custom time points, using a CRON-like syntax
- Configurable emailing of reports
- Access to historical tests
- Notifications when a result changes between scheduled analyses.
Pricing
While an actual pricing has not yet been determined, the platform will make use of credits (1 credit = 1 analysis/action). Subscription-based models are being discussed, with different levels including a number of analyses.
API for automation
An API will be developed as soon as possible, to enable automation for customers with large sets of domains. More details about this will come in the future.
Feedback
What we're looking for:
Input, ideas, suggestions on how to make this useful for *you*.
-
Would you use this for your organization ?
-
What information would you want included ?
-
What format would you want to see supported for output ?
-
What additional test would be relevant for your organization ?
-
Feedback around the pricing model
Possible future directions
The following are NOT implemented at this time, nor roadmapped:
-
Additional probe types and may be made available in the future, allowing for different types of analyses to be carried out, including policy checks, as well as custom zone validators for testing DNSSEC signing and ZONEMD zone integrity.
-
DNS Scope reports could help assist in narrowing down IPv4 and IPv6 reachability issues, determine if the problem is one of network reachability, or a misconfiguration / outage within the networks hosting the DNS servers.
-
A series of test could be implemented to assess service reachability over IPv4/IPv6 and different transports (udp/tcp/DoT/DoH/DoQ), and help detect problems with packet sizes / fragmentation.
-
Additional resiliency testing could be done for ensuring network (topological) and geographical diversity, e.g.: verify that all DNS servers for a given DNS zone aren't all placed within the same subnet, Autonomous System, or country, as can be inferred by available information, and according to a given policy.
Other suggestions/ideas are welcome!