[dns-operations] [DNSSEC] Looking for a zone verification tool

Sebastian Castro sebastian at nzrs.net.nz
Tue Mar 1 21:29:55 UTC 2011 

On 03/02/2011 04:01 AM, Stephane Bortzmeyer wrote:
> Following two serious DNSSEC incidents (see
> <http://operations.afnic.fr/en/2011/02/18/study-and-action-plan-following-the-incident-with-validating-resolvers-on-12-february-2011.html>,
> a longer report will be delivered by Vincent Levigneron at the OARC
> workshop in San Francisco
> <https://www.dns-oarc.net/oarc/workshop-201103>), I am looking for a
> zone validation tool, able to take a signed zone in RFC 1035 format
> and tests that it is consistent. More specific requirments are:
> 
> 1) runs on Unix
> 2) Free software (as in free speech, not as in free beer)
> 3) supports DNSSEC with all variants (NSEC3, opt-out, SHA2, etc)
> 4) allows for delegation zones of > 1 Mdomains, with at least 30 % of
> them signed
> 
> With these requirments, I tested:
> 
> * BIND named-checkzone: it does not seem to have any DNSSEC
> support. Fails requirment 3
> 
> * Verisign <http://www.verisignlabs.com/dnssec-tools/>: works fine on
> a test zone that I rendered deliberately invalid, but crashes on .FR
> with an out-of-memory error. Fails requirment 4
> 
> * OpenDNSSEC Auditor: off-topic because it does not test the zone in
> itself but its compliance to the local policy. Anyway, it runs forever
> with .FR. Fails requirment 4
> 
> * ldns ldns-verify-zone: works fine on a test zone that I rendered
> deliberately invalid. Seems to run forever on .FR (which is signed
> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
> 2 CPU and still running. Fails requirment 4
> 

Adding to your list, I tested YAZVS from Duane Wessels.

http://yazvs.verisignlabs.com/

It's written in Perl, but requires lots of memory with a zone smaller
than yours, so fails on requirement 4.

> Currently, I tend towards writing a new program in C, better
> optimized, with the ldns library
> <http://www.nlnetlabs.nl/projects/ldns/>. Advices?
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the dns-operations mailing list