Overview of public domains that can be used for testing

[baknu]

1. IPv6-only websites: forfun.net ipv6.google.com ipv6.internet.nl

   2. DNSSEC bogus domains: servfail.nl rhybar.cz brokendnssec.net ok.bogussig.ok.bad-dnssec.wb.sidnlabs.nl

2. Wrong DANE: web: domains on https://www.huque.com/dane/testsite/ mail: wrong.havedane.net

3. HTTPS/TLS issues: Domains on https://badssl.com/

   5. RPKI invalid invalid.rpki.isbgpsafeyet.com invalid.rov.koenvanhove.nl

[aequitas]

rhybar.cz

does not resolve at all atm. Is it still valid?

[baknu]

rhybar.cz

does not resolve at all atm. Is it still valid?

Should be: www.rhybar.cz

[baknu]

Some of the underlying subdomains of https://www.email-security-scans.org/ could probably also be used to test the workings of the Internet.nl mail test. See: https://www.email-security-scans.org/description.php

[baknu]

For HTTP status codes: https://returnco.de

[bwbroersma]

Not really a domain, but both paths have a invalid + valid route: https://rpkitest4.nlnetlabs.net/valid.json / 185.49.142.6 https://rpkitest6.nlnetlabs.net/valid.json / 2a04:b907::6

Note the valid.json returns {"rpki-valid-passed":<boolean>,"rpki-invalid-passed":<boolean>,"ip":<String>} and has the proper CORS headers enabled:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
Access-Control-Expose-Headers: Content-Length,Content-Range

See https://bgp.tools/rir-owner/nl.nlnetlabs: 185.49.142.6 is routed by: :x: invalid 185.49.142.0/24 (more specific) ✅ valid ROA 185.49.142.0/23 (less specific)

2a04:b907::6 is routed by: :x: invalid 2a04:b907::/48 (more specific) ✅ valid ROA 2a04:b907::/47 (less specific)

[bwbroersma]

Revoked and expired certificate list: https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls-certificates/

[bwbroersma]

Some pet project I was working on last weekend, with the goal to:

• [x] dynamic HTTP headers and return codes (nginx with njs)
• [ ] API endpoints
  • [ ] instead of ?p= with HTML also have an 'API'
  • [x] Reverse check https://v1.b6a.nl/?debug=2mfu7tbmkecpscd7fabaa
  • [ ] maybe have a 'debug' output of expected headers and status code
• [ ] dynamic TLS (nginx via stream with njs)
• [ ] dynamic DNS (powerdns with lua)
• [ ] publish as docker (currently is a nginx:alpine docker with nginx.conf and njs.js file)

Al based on the base32 hostname (limited to 63 chars), which uses deflate compression with a shared dictionary to compress more input. Base36 could also be used to store more bits per char. WIP: https://v1.b6a.nl/ using this domain temporary, the current dictionary is very small and raw deflate is used, not the zlib with 'overhead' of 2 header bytes, 4 bytes DICTID (adler32 of dictionary content) and a final 4 bytes adler32, this meant the hostnames will brake when the dictionary will change, so don't expect that it is stable in any way yet.

Some dictionary inspiration:

• draft-mbelshe-httpbis-spdy-00 - SPDY Protocol - § 2.6.10.1. Compression (static 32kB ZLIB dict)
• RFC 7541 - HPACK: Header Compression for HTTP/2 - Appendix A. Static Table Definition of header fields
• RFC 7932 - Brotli Compressed Data Format - Appendix A. Static Dictionary Data (120kB)
• RFC 9204 - QPACK: Field Compression for HTTP/3 - Appendix A. Static Table of header fields

Related:

• 914

[baknu]

See also: https://github.com/internetstandards/Internet.nl/issues/175

[bwbroersma]

IPv6 only nameserver:

• dnslabs.nl

[bwbroersma]

More TLS valid, revoked and expired test domains from https://letsencrypt.org/certificates/:

ISRG Root X1 (RSA 4096):

• https://valid-isrgrootx1.letsencrypt.org
• https://revoked-isrgrootx1.letsencrypt.org
• https://expired-isrgrootx1.letsencrypt.org

ISRG Root X2 (ECDSA P-384):

• https://valid-isrgrootx2.letsencrypt.org
• https://revoked-isrgrootx2.letsencrypt.org
• https://expired-isrgrootx2.letsencrypt.org

[bwbroersma]

• Tip credits go to @mdavids who mentioned it in relation to testing issue #1481

See https://www.dnscheck.tools/#more, it can do quite some DNSSEC things:

DNS TEST QUERIES

dnscheck.tools is also a custom DNS test server! Make test queries like:

$ dig [SUBDOMAIN.]go[-ALG][-NET].dnscheck.tools TXT
SUBDOMAIN

The SUBDOMAIN is composed of DNS response options, separated by a hyphen. Options may include:

    any of:
        <random> - a random number, up to 8 hexadecimal digits; useful for cache busting
        compress - force the use of DNS message compression in the response
        [no]truncate - force or disable message truncation for responses over UDP
        watch - mirror corresponding requests to the [/watch/<random>](https://www.dnscheck.tools/watch) page; requires <random> 
    up to one of:
        padding<n> - add <n> bytes of EDNS0 padding, up to 4000, to A, AAAA, and TXT responses
        txtfill<n> - add <n> bytes of padding as TXT data, up to 4000, to TXT responses 
    up to one of:
        formerr - respond with "format error"
        servfail - respond with "server failure"
        notimpl - respond with "not implemented"
        refused - respond with "query refused"
        noreply - do not respond 
    up to one of:
        nosig - do not provide any DNSSEC signature in the response
        badsig - provide an invalid DNSSEC signature when signing the response
        expiredsig[<t>] - provide an expired DNSSEC signature when signing the response, <t> seconds in the past (default 1 day) 

ALG & NET

The zone, go[-ALG][-NET], sets DNSSEC signing and network options.

    ALG may be one of:
        alg13 - sign the zone using ECDSA P-256 with SHA-256 (default)
        alg14 - sign the zone using ECDSA P-384 with SHA-384
        alg15 - sign the zone using Ed25519
        unsigned - do not sign the zone 
    NET may be one of:
        ipv4 - offer only IPv4 authoritative nameservers
        ipv6 - offer only IPv6 authoritative nameservers 

The zone "go" is equivalent to "go-alg13" and has both IPv4 and IPv6 authoritative nameservers.