[dns-operations] [DNSSEC] Looking for a zone verification tool
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Mar 1 20:50:54 UTC 2011
On Tue, Mar 01, 2011 at 02:12:45PM -0500,
David Blacka <davidb at verisign.com> wrote
a message of 44 lines which said:
> Do you have requirements for what sorts of DNSSEC errors that the
> tool can discover? Just bad/expired signatures? malformation of the
> NSEC3 chain? Missing signatures?
Also invalid NSEC* with respect to the actual RRtypes present (the
TYPE65534 BIND bug), something which is already tested by the tools I
mentioned.
> Policy violations?
It would be nice to have but, unlike all the other errors you mention,
this one cannot be discovered by checking the zone alone, you need a
language to express policies and someone to write the policy. So, I
would be happy to postpone it to version 2.0 of the tool :-)
In the end, I agree with Wolfgang Nagele: my concern is anything which
can make the zone invalid for a validating resolver so we have to test
everything which may lead to a SERVFAIL.
More information about the dns-operations
mailing list