On 7/14/15, 1:08, "dns-operations on behalf of Frank Bulk" <dns-operations-boun...@dns-oarc.net on behalf of frnk...@iname.com> wrote:
>Is there an existing tool, ideally a NAGIOS-friendly one, that performs a >check against a resolver that it gets an AD back on DNSSec query for a >zone >that is properly signed, failure for one that is not properly signed, and >nothing for one that isn't signed? >http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation > >I'd rather not re-invent the wheel if it already exists. For the positive, negative, neutral tests, there are people who have set up testable zones. However, if you really want to control your environment (which I would recommend for testing that is NAGIO-friendly), I'd set up in-house zone-under-test subjects. The "risk mitigation" load is then shifted to making sure your test targets are always properly configured (long-lived signatures, no key rotation, short TTL, etc., are appropriate if you are just testing the mechanism).
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
