On Aug 27, 2013, at 8:27 AM, Joe Abley <jab...@hopcount.ca> wrote: > I seem to think actually that all the prominent public failures near the root > of the namespace have not been due to zones that were signed incorrectly, but > rather botched rollovers, parent DS mismatch, accidental use of an old key, > etc.
That is what most of the sad messages we have seen on the DNSSEC deployment list indicate. > I've long wished for a more general facility where upon successful [AI]XFR I > could shell out to an arbitrary local executable and do whatever checks I > wanted before signalling with exit status that "this zone is ok to serve". > With a bit of state held on disk about previous zones you could include some > of those temporal checks and perhaps catch a few more problems. ...but not all of them. --Paul Hoffman _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
