[dns-operations] [DNSSEC] Looking for a zone verification tool

Jan-Piet Mens jpmens+dnsops at gmail.com
Wed Mar 2 11:56:19 UTC 2011


Wolfgang,

> Our general idea is a "zone transfer proxy" with which you can configure a
> certain set of trust anchors. It takes in a transfer on one end and only hands
> it out on the other end if it validates those trust anchors. This should allow
> deployment in pretty much any scenario.

+1 (or rather +100 :-) for that idea, as long as the proxy handles DNS
NOTIFY to transfer the zone (incoming) and can notify a zone's NS RRset
when it determines the zone is healthy for transfer to its slaves.

Regards,

        -JP




More information about the dns-operations mailing list