[dns-operations] Implementation of negative trust anchors?

Phil Regnauld regnauld at nsrc.org
Tue Aug 27 19:15:02 UTC 2013

Carlos M. Martinez (carlosm3011) writes:
> I agree, triggering some script after certain events and condition zone acceptance to the result of the script is a nice approach. I like it.

	This is the recommended approach for any zone production system, DNSSEC
	or not. Content (truncated zones, premature end of file), logical (missing
	NSes, broken SOA) or syntactical (5 byte IPv4 addresses. Really.), etc...
	That's why validns was written in the first place (that, and checking
	DNSSEC signatures). At every step (output from DB, pre-signature, post-
	signature, etc), verify. Rollback otherwise (or just don't publish).

More information about the dns-operations mailing list