[dns-operations] Online DNSSEC debugging tool now availalbe

George Barwood george.barwood at blueyonder.co.uk
Fri Jul 16 13:23:07 UTC 2010

Agreed, it is a nice tool.


I notice that when "More detail" is clicked, it shows verification attempts where the KeyTag does not match, e.g.

RRSIG=754 and DNSKEY=55799 does not verify the DNSKEY RRset (Verification of RSA string generated error: Signature longer than key)

This seems to imply the KeyTag is not being checked before attempting to verify the signature.

Also, it hardly seems worth reporting this.


----- Original Message ----- 
From: "Roy Arends" <roy at dnss.ec>
To: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
Cc: <dns-operations at mail.dns-oarc.net>; "Duane Wessels" <dwessels at verisign.com>
Sent: Friday, July 16, 2010 11:10 AM
Subject: Re: [dns-operations] Online DNSSEC debugging tool now availalbe

> On Jul 16, 2010, at 9:21 AM, Stephane Bortzmeyer wrote:
>> On Thu, Jul 15, 2010 at 03:15:12PM -0700,
>> Duane Wessels <dwessels at verisign.com> wrote 
>> a message of 15 lines which said:
>>> http://dnssec-debugger.verisignlabs.com
>> The third one, after <http://dnscheck.iis.se/> and
>> <http://www.zonecheck.fr/>, no ?
> I like Duane's little tool. Not quite as pedantic and noisy as the other online checkers.
> Well done Duane.
> Roy
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list