[dns-operations] [DNSSEC] Looking for a zone verification tool

Warren Kumari warren at kumari.net
Tue Mar 1 15:30:37 UTC 2011


Does Donuts (https://www.dnssec-tools.org/wiki/index.php/Donuts (and  
related)) not fit all of these requirements? I haven't tried it with a  
huge zone, but I think it might be happy...

W
On Mar 1, 2011, at 10:01 AM, Stephane Bortzmeyer wrote:

> Following two serious DNSSEC incidents (see
> <http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html 
> >,
> a longer report will be delivered by Vincent Levigneron at the OARC
> workshop in San Francisco
> <https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
> zone validation tool, able to take a signed zone in RFC 1035 format
> and tests that it is consistent. More specific requirments are:
>
> 1) runs on Unix
> 2) Free software (as in free speech, not as in free beer)
> 3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
> 4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
> them signed
>
> With these requirments, I tested:
>
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
>
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
>
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
>
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
>
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>

--
Hope is not a strategy.
       --  Ben Treynor, Google




More information about the dns-operations mailing list