[dns-operations] [DNSSEC] Looking for a zone verification tool

David Blacka davidb at verisign.com
Tue Mar 1 19:12:45 UTC 2011

On Mar 1, 2011, at 10:01 AM, Stephane Bortzmeyer wrote:

> Following two serious DNSSEC incidents (see
> <http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html>,
> a longer report will be delivered by Vincent Levigneron at the OARC
> workshop in San Francisco
> <https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
> zone validation tool, able to take a signed zone in RFC 1035 format
> and tests that it is consistent. More specific requirments are:
> 1) runs on Unix
> 2) Free software (as in free speech, not as in free beer)
> 3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
> 4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
> them signed

Do you have requirements for what sorts of DNSSEC errors that the tool can discover?  Just bad/expired signatures? malformation of the NSEC3 chain?  Missing signatures?  Policy violations?

> With these requirments, I tested:
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4

This is my tool.  I know it doesn't support very large zones, because it doesn't assume that the zone is in canonical order and tries to load it into memory to sort it.  And it is written in Java, so it's memory is bounded by what the VM is configured for.  It may be possible to make jdnssec-verifyzone work with a 64-bit JVM and some java command line settings (i.e., getting the JVM to have access to enough memory), but at that point, it might not be fast enough.  I don't know as I haven't tried.

David Blacka                          <davidb at verisign.com> 
Principal Engineer    Verisign Platform Product Development

More information about the dns-operations mailing list