A comparative study between tools for validating the quality of DNS delegation shows that Zonemaster is a reliable and effective tool; ahead of alternatives like MXToolbox and NAST.

DNS provides name resolution for network applications, which is vital for the functionality of the Internet. An important part of the system design is to distribute the administration by delegation of domains. To maintain the availability of domains it is important that configuration is accurately performed. Zonemaster is a tool used for validating the quality of a DNS delegation partly by testing of misconfigurations. (See Zonemaster test site and Zonemaster project site.)

We have made a comparative study between Zonemaster and similar publicly available tools that are free to use and have extensive documentation. DNSViz, NAST and MXToolbox were the tools we found that met the requirements. DNSViz is focusing on DNSSEC, having a wide range of tests in that area and lets the user see the result visually. NAST and MXToolbox is more similar to Zonemaster, offering a variety of tests. 

The evaluation was conducted by identifying and implementing twelve configuration errors regarding DNS delegation. These errors were based on RFC 1912 “Common DNS Operational and Configuration Errors” among other sources and afterwards implemented on our own DNS servers. Our domain name with existing errors were then tested on each tool. Their responses together with the extent of documentation regarding test specification was analyzed. The analyzed data was then divided into three categories: number of implemented tests, detected errors and if the test specification referred to a reliable source.

The following diagram shows one part of the results from the full study: firstly how many of the twelve tests that each tool allegedly were supposed to test, secondly how many of the tests they actually detected and lastly how many they missed.

Diagram of correlation between implemented tests and detected errors

The full result from the study indicates that Zonemaster is a reliable DNS tool that effectively validates the quality of a DNS delegation concerning common configuration errors.

As mentioned in the beginning of the article, it is important that configuration is accurately performed to maintain the availability of domains and when it comes to common configuration errors. A validation tool could be helpful for a user when configuring your domain, although it is important that the tool is reliable and detect errors in a correct way.

This article is based on our degree project in computer engineering. Read the entire thesis here.