[dns-operations] [DNSSEC] Looking for a zone verification tool

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Mar 1 20:50:54 UTC 2011

On Tue, Mar 01, 2011 at 02:12:45PM -0500,
 David Blacka <davidb at verisign.com> wrote 
 a message of 44 lines which said:

> Do you have requirements for what sorts of DNSSEC errors that the
> tool can discover?  Just bad/expired signatures? malformation of the
> NSEC3 chain?  Missing signatures?  

Also invalid NSEC* with respect to the actual RRtypes present (the
TYPE65534 BIND bug), something which is already tested by the tools I

> Policy violations?

It would be nice to have but, unlike all the other errors you mention,
this one cannot be discovered by checking the zone alone, you need a
language to express policies and someone to write the policy. So, I
would be happy to postpone it to version 2.0 of the tool :-)

In the end, I agree with Wolfgang Nagele: my concern is anything which
can make the zone invalid for a validating resolver so we have to test
everything which may lead to a SERVFAIL.

More information about the dns-operations mailing list