I've been playing with OpenDNSSEC-2.0.1, compiled from scratch on a Gentoo box. I have three virtual servers, server one is BIND with unsigned zones - pretending to be the Zone Generator. Server 3 is also running BIND - pretending to be a distribution master or "Master" name server. The Man in the middle (Bump on the wire) is running OpenDNSSEC and uses the DNS Adapters. As this is all testing - all my timing values are quite low. I'm using NSEC3, Opt-Out - etc.
Everything is humming along nicely. I've written a simple shell script to check the consistency of the signed zone vs the original unsigned zone. This is done by a "dig axfr" of the before and after zones - followed by various tests. a) I look for differences between signed and unsigned zones (after removing DNSSEC Records) b) I follow NSEC3 Chains - till I get back to the "start" c) I make sure all secured delegations have NSEC3 records d) I make sure that the signer is still re-signing by looking at the expire time of the "nearest" RRSIG records, bringing into the picture the current time and the values of Refresh and Resign... If there is anything amiss - I get e-mail. So far, so good. I disable the signer every day or so for about 10 minutes to make sure the detection is working. Much to my annoyance, OpenDNSSEC converts to lower case the Left Hand side of all zones (the name part, before the TTL). Can this modification of data be switched off? BIND-9.10 does not do that and I think it would be better behaviour if OpenDNSSEC followed suit. I'm well aware that there is no functional difference between DNS names with Upper and Lower case when looking them up - but I don't think signing software should be fiddling with it. -- Mark James ELKINS - Posix Systems - (South) Africa m...@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
