Extensible Delegation testbed
This website hosts information on the domains we have deployed for evaluating and testing the draft-homburg-deleg protocol proposal, as well as draft-wesplaap-deleg.
Zones and name servers
The ideleg.net zone has been provisioned with several IDELEG delegations (using 65280 as the value for the IDELEG RR type), and is served by two IDELEG supporting authoritative name servers (ideleg.net and ideleg.nlnetlabs.nl) and one legacy, non IDELEG supporting, authoritative name server (legacy.ideleg.net) as hidden secondary:
| name | IPv4 | IPv6 | location |
|---|---|---|---|
ideleg.net |
128.199.252.158 | 2400:6180:0:d2:0:1:ac7b:9000 | Singapore |
ideleg.nlnetlabs.nl |
152.42.143.10 | 2a03:b0c0:2:f0::5b3e:f001 | Amsterdam |
legacy.ideleg.net |
134.122.39.99 | 2604:a880:cad:d0::a417:1001 | Toronto |
The deleg.org zone has been provisioned with several wesplaap-deleg delegations (using 65432 as the value for the DELEG RR type), and is served by two wesplaap-deleg supporting authoritative name servers (deleg.org and deleg.nlnetlabs.nl) and one legacy, non IDELEG supporting, authoritative name server (legacy.ideleg.net) as hidden secondary:
| name | IPv4 | IPv6 | location |
|---|---|---|---|
deleg.org |
146.190.95.45 | 2400:6180:0:d2:0:1:ac7b:8000 | Singapore |
deleg.nlnetlabs.nl |
146.190.31.218 | 2a03:b0c0:2:f0::5b3f:1 | Amsterdam |
legacy.ideleg.net |
134.122.39.99 | 2604:a880:cad:d0::a417:1001 | Toronto |
Querying the zones
These IP addresses can be queried directly to get a taste for the referral responses.
If queried with a specially compiled version of drill, the IDELEG RRs will be displayed as intended.
See this page for instructions how to compile LDNS and drill with IDELEG support.
For example, to get an IDELEG referral from ideleg.net`:
$ drill/drill -Dord @ www.customer1.ideleg.net.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40708
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4
;; QUESTION SECTION:
;; www.customer1.ideleg.net. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
customer1.ideleg.net. 3600 IN NS supporting.ideleg.net.
customer1._deleg.ideleg.net. 3600 IN IDELEG 10 (
supporting.ideleg.net.
ipv4hint=188.245.247.219
ipv6hint=2a01:4f8:c2c:99d7::1 )
customer1._deleg.ideleg.net. 3600 IN RRSIG IDELEG 13 4 3600 (
20250403135716 20250306135716 60397 ideleg.net. 4UuzgvStSu... )
customer1.ideleg.net. 3600 IN NSEC customer2.ideleg.net. NS (
RRSIG NSEC )
customer1.ideleg.net. 3600 IN RRSIG NSEC 13 3 3600 (
20250403135716 ( 20250306135716 60397 ideleg.net. TeMDps2J... )
;; ADDITIONAL SECTION:
supporting.ideleg.net. 3600 IN A 188.245.247.219
supporting.ideleg.net. 3600 IN RRSIG A 13 3 3600 (
20250403135716 20250306135716 60397 ideleg.net. RNWvNn/HsO... )
supporting.ideleg.net. 3600 IN AAAA 2a01:4f8:c2c:99d7::1
supporting.ideleg.net. 3600 IN RRSIG AAAA 13 3 3600 (
20250403135716 20250306135716 60397 ideleg.net. QxDs43bLqX... )
;; Query time: 25 msec
;; EDNS: version 0; flags: do ; udp: 1232
;; SERVER:
;; WHEN: Thu Mar 6 16:49:55 2025
;; MSG SIZE rcvd: 670
(This drill output has been edited for readability)
The NSEC3 signed zone
There is also a version with the same kinds of delegations, but NSEC3 signed, in the nsec3.ideleg.net zone, served by an ideleg supporting authoritative name server (supporting.ideleg.net) and also at one legacy, non IDELEG supporting, authoritative name server (legacy.ideleg.net) as hidden secondary:
| name | IPv4 | IPv6 | location |
|---|---|---|---|
supporting.ideleg.net |
159.223.42.75 | 2400:6180:0:d2:0:1:ac7b:7000 | Singapore |
legacy.ideleg.net |
134.122.39.99 | 2604:a880:cad:d0::a417:1001 | Toronto |
Zone transfers
All the name servers in the testbed allow anyone to transfer all the zones that are being served by them.
For example to transfer the ideleg.net zone:
$ drill -Dord @ ideleg.net AXFR
ideleg.net. 3600 IN SOA ideleg.net. wouter.petri.os3.nl. ...
ideleg.net. 3600 IN RRSIG SOA 13 2 3600 20250403135716 ...
ideleg.net. 3600 IN RRSIG A 13 2 3600 20250403135716 ...
etc.
(The transfer is cut-off and edited for readability)
IDELEG Resolver
A resolver implementing the minimal implementation is provided at resolver.ideleg.net with IP addresses 5.223.55.200 and 2a01:4ff:2f0:2233::1.
The addresses are accessable over TCP or TLS, or over UDP with a valid server cookie.
The resolver is running a special version of Unbound. It does not anticipate optimized and extra optimized responses, and it does not (yet) follow AliasMode IDELEG RRs, but it can be used to test our own IDELEG (only) delegations.
Zones at name servers table
| zone | ideleg.net | nlnetlabs1 | supporting2 | legacy3 | signed |
|---|---|---|---|---|---|
| ideleg.net | ✔ | ✓ | hidden | ✔ | |
| customer1.ideleg.net | ✔ | ✔ | |||
| customer2.ideleg.net | ✔4 | ✔ | |||
| customer3.ideleg.net | ✔ | ✓ | ✔ | ||
| customer4.ideleg.net | ✔5 | ✔ | |||
| nsec3.ideleg.net | ✔ | hidden | ✔ | ||
| customer1.nsec3.ideleg.net | ✔ | ✔ | |||
| customer2.nsec3.ideleg.net | ✔6 | ✔ | |||
| customer3.nsec3.ideleg.net | ✔ | ✓ | ✔ | ||
| customer4.nsec3.ideleg.net | ✔7 | ✔ |
| zone | deleg.org | nlnetlabs8 | supporting9 | legacy3 | signed |
|---|---|---|---|---|---|
| deleg.org | ✔ | ✓ | hidden | ✔ | |
| customer1.deleg.org | ✔ | ✔ | |||
| customer2.deleg.org | ✔ | ✔ | |||
| customer3.deleg.org | ✔ | ✔ | |||
| customer4.deleg.org | ✔ | ||||
| customer5.deleg.org | ✔ | ||||
| nsec3.deleg.org | ✔ | hidden | ✔ | ||
| customer1.nsec3.deleg.org | ✔ | ✔ | |||
| customer2.nsec3.deleg.org | ✔ | ✔ | |||
| customer3.nsec3.deleg.org | ✔ | ✔ | |||
| customer4.nsec3.deleg.org | ✔ | ||||
| customer5.nsec3.deleg.org | ✔ |
footnotes
-
ideleg.nlnetlabs.nl ↩
-
supporting.ideleg.net ↩
-
customer2.ideleg.net has the authoritative NS RRset in the customer2.ideleg.net zone ↩
-
customer4.ideleg.net has outsourced operations to ideleg.customer2.ideleg.net ↩
-
customer2.nsec3.ideleg.net has the authoritative NS RRset in the customer2.nsec3.ideleg.net zone ↩
-
customer4.nsec3.ideleg.net has outsourced operations to ideleg.nsec3.customer2.ideleg.net ↩
-
deleg.nlnetlabs.nl ↩
-
supporting.deleg.org ↩