Thanks. I found three on the Internet that are set up that way: sigfail.verteiltesysteme.net www.dnssec-failed.org rhybar.cz I'm using those in my script (randomly) for checking for that failure case.
Frank -----Original Message----- From: Livingood, Jason [mailto:jason_living...@cable.comcast.com] Sent: Tuesday, July 21, 2015 3:33 AM To: Frank Bulk <frnk...@iname.com>; dns-operati...@dns-oarc.net Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec validation And for one that is always deliberately broken, for testing: www.dnssec-failed.org On 7/20/15, 10:13 PM, "Frank Bulk" <frnk...@iname.com> wrote: >Does anyone have an zone that will always remain unsigned? >verteiltesysteme.net is going to make one, but if there was a second >organization that could provide a zone that will never be signed, that >would >be great as a control. > >Frank > >-----Original Message----- >From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On >Behalf >Of Frank Bulk >Sent: Friday, July 17, 2015 12:51 AM >To: dns-operati...@dns-oarc.net >Subject: Re: [dns-operations] Verifying that a recursor is performing >DNSSec >validation > >I've completed writing the first iteration of a NAGIOS-oriented Perl >script >that does the checks I've described. It was actually more painful to get >the Net:DNS:DNSsec Perl module installed than anything else. > >We'll see how this works out in our environment. > >Frank > >-----Original Message----- >From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On >Behalf >Of Frank Bulk >Sent: Tuesday, July 14, 2015 12:08 AM >To: dns-operati...@dns-oarc.net >Subject: [dns-operations] Verifying that a recursor is performing DNSSec >validation > >Is there an existing tool, ideally a NAGIOS-friendly one, that performs a >check against a resolver that it gets an AD back on DNSSec query for a >zone >that is properly signed, failure for one that is not properly signed, and >nothing for one that isn't signed? >http://docs.menandmice.com/display/MM/How+to+test+DNSSEC+validation > >I'd rather not re-invent the wheel if it already exists. > >Regards, > >Frank Bulk > > >_______________________________________________ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > >_______________________________________________ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > >_______________________________________________ >dns-operations mailing list >dns-operations@lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
