[dns-operations] Online DNSSEC debugging tool now availalbe
Chris Thompson
cet1 at cam.ac.uk
Tue Mar 1 16:31:04 UTC 2011
Duane,
I hope you are still receiving bug/infelicity reports on this
very useful checking utility.
>With todays conversion to a validatable root zone, I'm pleased to announce
>the availability of an online tool to assist in debugging DNSSEC issues:
>
>http://dnssec-debugger.verisignlabs.com
>
>Please give it a try if you have a chance. I'd be happy to receive your
>questions and feedback.
I have noticed that it gets confused about zone boundaries when a
parent and child zone are both served from the same nameserver(s).
Thus when looking up (say) 111.131.in-addr.arpa, it will (usually)
say that it can't find a DS record for "in-addr.arpa" in ".",
failing to realise that it should have been looking for one in
"arpa". If it chooses a root-server that is still serving
"in-addr.arpa" as well as "arpa", it may even say that it can't
find one for "131.in-addr.arpa" in ".", skipping two levels of
delegation.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations
mailing list