[dns-operations] Verifying that a recursor is performing DNSSec validation

Edward Lewis edward.lewis at icann.org
Tue Jul 21 11:48:07 UTC 2015


Come to think of it, does DNS-OARC have a set of such zones?  I have a
vague memory that this may have been set up once.  If not, might this be a
good idea to provide?  (Alongside other test services like reply size as
described here: https://www.dns-oarc.net/oarc/services/replysizetest)

(An idle suggestion.)

On 7/20/15, 22:13, "dns-operations on behalf of Frank Bulk"
<dns-operations-bounces at dns-oarc.net on behalf of frnkblk at iname.com> wrote:

>Does anyone have an zone that will always remain unsigned?
>verteiltesysteme.net is going to make one, but if there was a second
>organization that could provide a zone that will never be signed, that
>would
>be great as a control.
>
>Frank
>
>-----Original Message-----
>From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>Behalf
>Of Frank Bulk
>Sent: Friday, July 17, 2015 12:51 AM
>To: dns-operations at dns-oarc.net
>Subject: Re: [dns-operations] Verifying that a recursor is performing
>DNSSec
>validation
>
>I've completed writing the first iteration of a NAGIOS-oriented Perl
>script
>that does the checks I've described.  It was actually more painful to get
>the Net:DNS:DNSsec Perl module installed than anything else.
>
>We'll see how this works out in our environment.
>
>Frank
>
>-----Original Message-----
>From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
>Behalf
>Of Frank Bulk
>Sent: Tuesday, July 14, 2015 12:08 AM
>To: dns-operations at dns-oarc.net
>Subject: [dns-operations] Verifying that a recursor is performing DNSSec
>validation
>
>Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
>check against a resolver that it gets an AD back on DNSSec query for a
>zone
>that is properly signed, failure for one that is not properly signed, and
>nothing for one that isn't signed?
>http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
>
>I'd rather not re-invent the wheel if it already exists.
>
>Regards,
>
>Frank Bulk
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>
>
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150721/cc4fb338/attachment.bin>


More information about the dns-operations mailing list