[dns-operations] Implementation of negative trust anchors?
regnauld at nsrc.org
Tue Aug 27 19:15:02 UTC 2013
Carlos M. Martinez (carlosm3011) writes:
> I agree, triggering some script after certain events and condition zone acceptance to the result of the script is a nice approach. I like it.
This is the recommended approach for any zone production system, DNSSEC
or not. Content (truncated zones, premature end of file), logical (missing
NSes, broken SOA) or syntactical (5 byte IPv4 addresses. Really.), etc...
That's why validns was written in the first place (that, and checking
DNSSEC signatures). At every step (output from DB, pre-signature, post-
signature, etc), verify. Rollback otherwise (or just don't publish).
More information about the dns-operations