[dns-operations] Announcing the availability of 'validns', a DNS and DNSSEC zone file validator
Tony Finch
dot at dotat.at
Mon May 16 15:50:26 UTC 2011
Anton Berezin <tobez at tobez.org> wrote:
> I would like to announce the availability of 'validns'.
Cool!
I tried it out on the cam.ac.uk zone, which is signed and has nearly
200,000 records. I found a couple of bugs.
First, it doesn't support unknown RR types, such as TYPE65534 which BIND
uses to keep its signing state:
cam.ac.uk:12: invalid or unsupported rdtype type65534
validns: bitmap index out of range
I grepped out the TYPE65534 records (and RRSIG TYPE65534 and NSEC ... TYPE65534)
It then worked and produced a load of complaints.
Firstly, as expected, it complained about the existence RRSIG for the NSEC
record that I rudely stripped out:
cam.ac.uk-notype:11: cam.ac.uk. RRSIG exists for non-existing type NSEC
It also produced a lot of complaints about canonical order violations:
cam.ac.uk-notype:38: NSEC says www.accommodation.cam.ac.uk. comes after www.800.cam.ac.uk., but accommodation.cam.ac.uk. does
accommodation.cam.ac.uk is an empty non-terminal.
Statistics from running it on my workstation:
CPU: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz (3158.75-MHz K8-class CPU)
records found: 198001
skipped dups: 1
record sets found: 147959
unique names found: 49422
delegations found: 13
nsec3 records: 0
not authoritative names, not counting delegation points:
10
validation errors: 276
signatures verified: 98802
time taken: 4.912s
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.
More information about the dns-operations
mailing list