[dns-operations] Verifying that a recursor is performing DNSSec validation
Frank Bulk
frnkblk at iname.com
Sun Jul 26 05:24:55 UTC 2015
Thanks for sharing. I take a slightly different approach and also test that
an incorrectly signed zone comes back as SERVFAIL.
I just posted my 1.0 release of the plugin on the NAGIOS Exchange
(https://exchange.nagios.org/directory/Plugins/Network-Protocols/DNS) and it
will be visible once approved.
I'd appreciate your similar feedback.
Frank
-----Original Message-----
From: Wessels, Duane [mailto:dwessels at verisign.com]
Sent: Friday, July 24, 2015 4:42 PM
To: Frank Bulk <frnkblk at iname.com>
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation
Its been a while since you wrote about this, but I've attempted to implement
a nagios plugin along these lines.
https://github.com/verisign/check_recursive_validation
I believe it works the way you've described and would welcome any feedback.
DW
> On Jul 13, 2015, at 10:08 PM, Frank Bulk <frnkblk at iname.com> wrote:
>
> Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
> check against a resolver that it gets an AD back on DNSSec query for a
zone
> that is properly signed, failure for one that is not properly signed, and
> nothing for one that isn't signed?
> http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation
>
> I'd rather not re-invent the wheel if it already exists.
>
> Regards,
>
> Frank Bulk
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list