1. 17

An initiative by the Dutch Internet Standards Platform. About Internet.nl

  1.  

  2. 3

    I think that Internet.nl is probably my new favorite security scanner for web and mail servers. Its TLS checks are much more strict than SSL Labs, and it includes all the checks from Hardenize. It’s also the only service I know of that checks a server’s RPKI.

    1. 2

      It’s been around for many years, but they occasionally add new checks and features to it. It’s one of the sites I use often to check settings quickly, and within dutch government-websites it’s mandatory to get a 100% score on websites.

      1. 2

        Curious how they calculate the totals. My connection failed two tests, yet got only a 40% score:

        • IPv6 works.
        • AAAA records are found.
        • The DNS cache that my ISP runs is not, apparently, able to query authoritative servers that has only v6 addresses.
        • DNSSEC is not validated at the resolver.

        I’m a bit curious about the last one. My understanding was that DNSSEC records were meant to be passed on for the client to validate. Validating them at the cache is likely to lead to DoS attacks on the resolvers (you can make the signature verification quite computationally intensive and with a tiny TTL, so you can fairly easily trick a client into hammering the DNS cache and consuming all of its CPU), so I’d consider that to be correct behaviour. In addition, even if your DNS cache does validate them, you need to check them on the client anyway because the entire point of DNSSEC is that your caching resolver is not in your TCB.