[dns-operations] [DNSSEC] Looking for a zone verification tool
Sebastian Castro
sebastian at nzrs.net.nz
Wed Mar 2 04:10:59 UTC 2011
On 03/02/2011 08:24 AM, Miek Gieben wrote:
> [ Quoting Stephane Bortzmeyer in "[dns-operations] [DNSSEC] Looking f"... ]
>> * ldns ldns-verify-zone: works fine on a test zone that I rendered
>> deliberately invalid. Seems to run forever on .FR (which is signed
>> with opt-out so has only 40 signatures). Twenty minutes of Intel Core
>> 2 CPU and still running. Fails requirment 4
>
> Looks like this hangs on figuring out what is glue.
>
> I think if you add an option (-d delegation only zone) which defines:
> all A/AAAA records which don't have the same owner name as the soa
> record are glue.
>
I took this idea, changed ldns-verify-zone and run some benchmark.
Tested with two zones with ~25000 delegations and one with ~350000
delegations, the -d option runs 20% faster.
On the small zones, takes less than 1 minute to run, but on the big zone
takes more than an hour, so is still unacceptable.
The patch is attached.
> you can speed this up.
>
> grtz Miek
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
cheers,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
-------------- next part --------------
A non-text attachment was scrubbed...
Name: delegation-only.patch
Type: text/x-patch
Size: 996 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110302/abdfa4f3/attachment.bin>
More information about the dns-operations
mailing list