[dns-operations] Verifying that a recursor is performing DNSSec validation

frnkblk at iname.com frnkblk at iname.com
Wed Jul 15 08:57:42 UTC 2015


Mark,

Thanks. That does answer the first element, but not the other two.  I'll
pound out a shell script.

Frank

-----Original Message-----
From: Mark Andrews [mailto:marka at isc.org] 
Sent: Tuesday, July 14, 2015 1:29 AM
To: Frank Bulk
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation


dig +adflag soa $zone @server > tmpfile
grep -q "status: NOERROR" tmpfile || exit 1
grep -q "flags:[^;]* ad[^;]*;" tmpfile && cat tmpfile
exit 0

add appropriate garbage collection

In message <004401d0bdf3$1460dfa0$3d229ee0$@iname.com>, "Frank Bulk" writes:
> Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
> check against a resolver that it gets an AD back on DNSSec query for a
zone
> that is properly signed, failure for one that is not properly signed, and
> nothing for one that isn't signed?
> http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
> 
> I'd rather not re-invent the wheel if it already exists.
> 
> Regards,
> 
> Frank Bulk
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org





More information about the dns-operations mailing list