[dns-operations] Verifying that a recursor is performing DNSSec validation

Edward Lewis edward.lewis at icann.org
Wed Jul 15 11:54:00 UTC 2015

On 7/14/15, 1:08, "dns-operations on behalf of Frank Bulk"
<dns-operations-bounces at dns-oarc.net on behalf of frnkblk at iname.com> wrote:

>Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
>check against a resolver that it gets an AD back on DNSSec query for a
>that is properly signed, failure for one that is not properly signed, and
>nothing for one that isn't signed?
>I'd rather not re-invent the wheel if it already exists.

For the positive, negative, neutral tests, there are people who have set
up testable zones.  However, if you really want to control your
environment (which I would recommend for testing that is NAGIO-friendly),
I'd set up  in-house zone-under-test subjects.  The "risk mitigation" load
is then shifted to making sure your test targets are always properly
configured (long-lived signatures, no key rotation, short TTL, etc., are
appropriate if you are just testing the mechanism).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150715/8d0e049c/attachment.bin>

More information about the dns-operations mailing list