DNS was designed in the 1980s when the Internet was much smaller, and security was not a primary consideration in its design. As a result, when a recursive resolver sends a query to an authoritative name server, the resolver has no way to verify the authenticity of the response. DNSSEC was designed to address this issue.

DNSSEC adds two important features to the DNS protocol:

• Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from the zone where it believes the data originated.
• Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the zone owner with the zone's private key.

Up until today, the DNS Server Monitor Test only allowed a user to monitor the DNS resolution for a given hostname from specified Name Servers. Users can be alerted if the resolution time crosses a particular threshold or if an unexpected DNS response code is received, or a non-allowed IP is answered.
However, these tests previously did not validate the DNSSEC trust chain of the received record.
Enter DNSSEC Validation.

How can you configure DNSSEC validation?

When enabled for a given domain, the test will recursively check the validity of each signing entity in the chain from the authoritative name server up to the root server. The result will be either a positive or a negative response. The DNSSEC record is either fully verified or it isn’t.

When the option is active, the test results will show the DNSSEC validation status for each one of the Agents involved in the test.

Validity of DNSSEC is based on querying DS and DNSKEY for any of the successive parts of the domain name: for a DNS test target of subdomain.domain.tld, each of tld., domain.tld., subdomain.domain.tld. and . (root) will be tested.

Traces for the DNSSEC validation for each agent will be available by clicking on their respective status icon on the previous screengrab.

DNSSEC validation impact on subtest health

Health options remain the same as the DNS Server Monitor test. DNSSEC validation will have a boolean result. If validation is successful it’s a healthy result, if not, it's critical. 

If enough agents have a critical results (see screenshot above) to meet the sub-test threshold condition, an alert will be triggered.

IMPORTANT NOTE: App Agents vs Network Agents

Be advised that setting DNSSEC validation is available to all agents except Private Network Agents. As a reminder, our new Private App Agents not only include all of the capabilities of the legacy Network Agents, but also include the capabilities required for advanced Web tests such as Page Load Tests and Transaction Tests.

If you currently run our legacy Network Agents, please consider replacing them with our new App Agents to gain access to all of the feature we will add in the future. Kentik's entire fleet of Network Agents has already been migrated, and support for the Network Agents will be phased out in 2023 (more to come on this soon)

As of now, users can set their own DSCP values in any Synthetic Monitoring Network test.

What's new?

While Network Tests initially defaulted to Diffserv codepoint "0: Best Effort" for every Network test, they can now be set to any value, allowing our users to more realistically test the behavior of their own network and test along all classes of services they implement.

To see it in action, edit or create any IP Hostname Network test: in the Advanced Options, both Ping and Traceroute aspects of it can be set to different DSCPs.

IMPORTANT NOTE: App Agents vs Network Agents

Be advised that setting DSCP values for the aforementioned tests is available to all agents except Private Network Agents. As a reminder, our new Private App Agents not only include all of the capabilities of the legacy Network Agents, but also include the capabilities required for advanced Web tests such as Page Load Tests and Transaction Tests.

If you currently run our legacy Network Agents, please consider replacing them with our new App Agents to gain access to all of the feature we will add in the future. Kentik's entire fleet of Network Agents has already been migrated, and support for the Network Agents will be phased out in 2023 (more to come on this soon)

BGP Monitor tests in Kentik Synthetic Monitoring came out including tests for the following elements:

• Reachability: % of BGP Vantage Point threshold to determine whether prefixes are visible “enough” through the public internet
• Allowed Origin: whether detected originators are part of an allowed-list (manually specified, or via RPKI) - this is commonly referred to as “Origin Hijack Monitoring”

The health of a BGP Monitor test was then the worse of these two tests, across all prefixes registered in the test, with the specificity that “Allowed Origin” could only be healthy or critical.

The “Allowed ASNs” test has now been renamed “Origin Hijack detection” to match what the industry is calling it.

Additionally, we have added “Upstream Leak Detection” - here’s the practical use for it:

In a normal situation, you only want your Upstream IP Transit Providers to announce your prefixes to the rest of the world: under no circumstance do you usually want your peers to announce your prefixes to the rest of the world as if they were your transit provider. They should keep these routes to themselves, and only use them to go from their network to yours (announcing them to their peers will break that partition).

Enters #4 step of the updated BGP Monitor test where you can now enter the ASNs of your “official” Upstream Transit Providers and we will inspect the 1st hop in the AS Path of all announcements of these prefixes (and of their more specific children).

Remember that with all BGP Announcements collected from the BGP Vantage Points, come an AS_PATH that gives the following information:

<vantage_point_ASN> …. various ASNs … <UPSTREAM_ASN> <Origin_ASN(yours)>

If the <UPSTREAM_ASN> is not part of your allowed list of Transit Providers for any of the prefixes (and their more specifics), the entire BGP Monitor test will be flagged as critical for “Upstream Leak”.

For further reference, the diagram below details Origin Hijack vs Upstream Leak

The Incident Log has been enhanced with some powerful new features.

The log now supports a time series stacked bar chart displaying the volume of alerts by alert severity. This enables users to quickly identify alerting trends over time.

The log also supports many new filtering options that allow the log and the stacked bar chart to be filtered by alert severity, alert status, test name, test type, label and agent (private/global).

When one or more filters are selected an indicator displays the total number of filters currently enabled along with the time range selection.

The selection is also persistent, so navigating away from this page will not cause the selection to be lost.

Finally, we will be collapsing the Performance Dashboard menu item into the Synthetics title itself. 

Clicking on "Synthetics >" will bring you to the (soon to be) newly named "Synthetics Dashboard"

Ensuring that DNS is healthy and working as expected is fundamental to the performance and availability of any network service.

Kentik's DNS Server Monitor and DNS Server Grid tests already allow users to monitor and alert on the DNS Resolution Time - an important metric to track to ensure that no delays are introduced at this step of the interaction.

We've now enhanced these tests with the ability to monitor and alert on the IP mappings returned by the DNS servers being queried. By specifying an allowed list of IP addresses we can alert when an unexpected mapping is returned.

The Allowed DNS Results field under Advanced Options allows users to specify the expected IP results. If the test returns an IP that isn't in this allowed list the test health will be marked as Critical and an alert is triggered based on the alert activation settings.

Websites and web applications rely on SSL certificates to demonstrate their authenticity to end users connecting to them. 

Whether the web application is one the customer owns themselves or one that they consume as a service from a service provider if the server certificate attached to the application expires or is invalid, users will not be able to connect to them securely. It is therefore important to monitor the health of these certificates and alert when one is about to expire or is no longer valid.

With the TLS Certificate Expiry Check feature we have introduced a new column in the Results page of HTTP(S) and Page Load tests displaying the server certificate’s expiry status and we've expanded test Health options to alert when the certificate is about to expire.

When the target website's certificate is valid we will display the expiry date of the server certificate as seen below.

When the certificate is invalid (or expired) we will display an error message indicating the cause of the failure.

Health options now includes the option to alert the user when the certificate is nearing expiry to prevent site outages due to invalid certs.

If the website's certificate is within the specified threshold the Certificate Expiry column values will be colored accordingly.

To disable all certificate checks, enable the "Ignore TLS Errors" switch under Advanced Options > General Options. This will remove the "Certificate Expiry" column in the test results page.

In previous releases we provided the option to include network layer data in web tests by enabling ping and trace route in HTTP(S) and Page Load tests. This allowed us to quickly correlate application and network metrics to identify the root cause of an application's performance or availability issues.

Expanding on our cross layer visibility we can now include BGP data in web tests as well. Allowing us to further improve the time it takes to identify the root cause of issues as originating in either the application, network or routing domain.

Where previously you would need to create a separate BGP Monitor test you can now examine the same BGP data in an adjacent tab on the results page itself. No need to jump between test views!

When included, BGP data will be visible as an additional tab in the test results page.

Putting it altogether, we can now analyze all layers of information relevant to a target application's health on the same screen, including

Application metrics and Network Ping metrics in the Results tab.

Network Trace metrics in the Path View tab.

To add BGP data to an HTTP(S) or Page Load test turn the switch to "Enable bgp monitoring" (disabled by default) and enter the necessary details as you would for a regular BGP Monitor test including health options for Allowed ASN(s), RPKI status and Reachability (Advanced Options). 

Refer to the KB for more details on configuring BGP Monitor tests.

We've enhanced the synthetic library widgets to include a scrubbable health status bar! 

While previously the widgets displayed results of just the last test run executed, this enhancement allows you to scroll back and forth to review the results historically on the widget itself without having to jump into the test page itself. This will aid in reducing the Mean Time To Identification (MTTI) of network or application issues.

The health status bar is available for all single test synthetic widgets.

We've expanded the capabilities of the Kentik Synthetic Application agent to support all test types. Application agents can now execute all Network based tests (including Network Mesh & Grid and Autonomous Tests) and DNS based tests in addition to the Web tests (HTTP, Page Load and Transaction Test) they already supported. 

BGP Monitor tests are not applicable since these use BGP Vantage Points and not synthetic agents.

Look for the list of Private or Global App Agents in the agent selection modal at test creation.

Find the full list of supported Global App Agents on the Agent Management page

Use the agents to run Network tests like the agent to agent test seen below.

We're excited to announce that our initial launch of Synthetic Transaction Monitoring (STM) is now GA!

Transaction tests expand on our existing suite of web/app layer testing capabilities. While an HTTP/API test tests the availability of the front door (hosting web server) of an application and a Page Load test gives you the ability to test the performance of how a website loads, a Transaction test goes much deeper and allows you to simulate a user's journey as they interact with an application, like logging into an email application or checking out a shopping cart or searching for a stock ticker symbol.

For instance, an e-commerce site has many user workflows which enable a customer to login, search through selections, select payment and delivery options and finalize a transaction. Delays or errors in any of these steps can impact the customer experience and lead to lost revenue. STM will enable you to benchmark the performance of each of these transaction stages and troubleshoot specific performance issues.

Steps to perform STM in Kentik:

1. Mimic the actions of your users as they would log into your application and perform a transaction.
2. Records these actions using the Chrome DevTools Recorder.
3. Open your Kentik account and create a new Transaction Test.
4. Paste the script exported from Chrome DevTools Recorder.
5. Select the agents (private or public) that you’d like to run the test from.
6. Run the test and analyze results.

Here is an example of a Transaction recorded on Chrome DevTools.

We can now export the Transaction script as a Puppeteer script and paste it into new Kentik Transaction script as below 

You can select any of our public Application agents to test from, and/or easily deploy your own private Application agents which we can supply (for Docker, x86 and ARM). STM tests can be set as both automatic and periodic on time intervals.

Presentation of Synthetic Test Monitoring Results

Results are presented on a timeline that shows transaction completion time. Performance is measured against dynamically calculated baselines and lags in performance are colored - orange is a warning, red is critical. 

Selecting a point on the line will indicate total completion time and the rolling standard deviation baseline. 

Screenshots captured during the transaction process provide insight into the script execution flow and aid in troubleshooting. 

The Waterfall tab shows the load order and load duration of each element in the Document Object Model (DOM) of every page visited.

Analyzing the results give us insights into how our users experience the performance of an application in real time from different geographies allowing us to proactively respond to user experience issues before they are reported by real users. When used in conjunction with Kentik's suite of network tests we can identify the root cause of performance issues as originating in the network or application stack within minutes.