> On 11 Oct 2016, at 19.01, Mark Elkins <m...@posix.co.za> wrote: > > (Someone here must have done this) > > I've got the zones.. > > ZA > / | \ > org co web(.za) > > All sign just fine. My own checking tool plus tools like dnssec-verify > and validns pass the individual zones just fine. My copy of the ZA zone > also contains the DS records of my children. > > I'd like to somehow test the signature chain down from my ZA Zones > DNSKEY (Trust Anchor) to the SOA of one of the second levels - or even > the SOA of a child of one of the second levels. > > How could I do this? > Going "live" is not yet an option.
I think what you’re looking for is a pre-delated domain check in zonemaster. You can point to your test server, but have it evaluate as if it were already live. https://zonemaster.net Erwin _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
