[dns-operations] [DNSSEC] Looking for a zone verification tool

Miek Gieben miek.gieben at sidn.nl
Tue Mar 1 15:26:22 UTC 2011

[ Quoting Stephane Bortzmeyer in "[dns-operations] [DNSSEC] Looking f"... ]
> With these requirments, I tested:
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?

I would very much like to work with you to see if we can get
ldns-verify-zone up to par for the .fr zone.


 Miek Gieben
 Technical Advisor SIDN

More information about the dns-operations mailing list