[dns-operations] [DNSSEC] Looking for a zone verification tool

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Mar 1 15:01:06 UTC 2011


Following two serious DNSSEC incidents (see
<http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html>,
a longer report will be delivered by Vincent Levigneron at the OARC
workshop in San Francisco
<https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
zone validation tool, able to take a signed zone in RFC 1035 format
and tests that it is consistent. More specific requirments are:

1) runs on Unix
2) Free software (as in free speech, not as in free beer)
3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
them signed

With these requirments, I tested:

* BIND named-checkzone: it does not seem to have any DNSSEC
support. Fails requirment 3

* Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
a test zone that I rendered deliberately invalid, but crashes on .FR
with an out-of-memory error. Fails requirment 4

* OpenDNSSEC Auditor: off-topic because it does not test the zone in
itself but its compliance to the local policy. Anyway, it runs forever
with .FR. Fails requirment 4

* ldns ldns-verify-zone: works fine on a test zone that I rendered
deliberately invalid. Seems to run forever on .FR (which is signed
with opt-out so has only 40 signatures). Twenty minutes of Intel Core
2 CPU and still running. Fails requirment 4

Currently, I tend towards writing a new program in C, better
optimized, with the ldns library
<http://www.nlnetlabs.nl/projects/ldns/>. Advices?



More information about the dns-operations mailing list