[dns-operations] Delegation checking (was: Re: Some DNSSEC trivia)
Joe Abley
jabley at ca.afilias.info
Thu Jan 10 15:51:26 UTC 2008
On 10-Jan-2008, at 10:17, Paul Vixie wrote:
> i must have misstated. i said "walk the tree from the root to
> itself" so
> i mean that as the owner of vix.com i'd check that the root's
> delegation to
> com matched(*) com's apex, and that com's delegation to vix.com
> matched(*)
> vix.com's apex, and that every server answered authoritatively and
> that the
> serial numbers were close(*). i do not mean look for all delegations
> involving my server, just all the delegations that lead to my zones.
That's clear, thanks. The general idea seems like something I'd turn
on, on servers that I run.
I'd probably prefer it to be a script that runs out of cron and sends
mail, instead of a BIND9 option that creates a log message I would
probably never see.
Perhaps by "close" you could mean "are only different for periods less
than a specified threshold". A reasonable default threshold could be N
* REFRESH, for some small N. An e-mail address for notifications might
be constructed from the RNAME; a list of zones to check might be
pulled from named.conf.
Joe
More information about the dns-operations
mailing list