approved.
I'd appreciate your similar feedback.
Frank
-Original Message-
From: Wessels, Duane [mailto:dwess...@verisign.com]
Sent: Friday, July 24, 2015 4:42 PM
To: Frank Bulk
Cc: dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing D
Its been a while since you wrote about this, but I've attempted to implement
a nagios plugin along these lines.
https://github.com/verisign/check_recursive_validation
I believe it works the way you've described and would welcome any feedback.
DW
> On Jul 13, 2015, at 10:08 PM, Frank Bulk wrot
, 2015 10:03 AM
To: Frank Bulk
Cc: 'Livingood, Jason' ;
dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation
On Tue, 21 Jul 2015 08:21:16 -0500 Frank wrote:
FB> Thanks. I found three on the Internet that are set up
On Tue, 21 Jul 2015 08:21:16 -0500 Frank wrote:
FB> Thanks. I found three on the Internet that are set up that way:
FB> sigfail.verteiltesysteme.net
FB> www.dnssec-failed.org
FB> rhybar.cz
FB> I'm using those in my script (randomly) for checking for that failure
FB> case.
The dnssec-tools test
There are various signed and deliberately broken zones at SIDNLabs workbench
with an explanation of the brokenness:
https://workbench.sidnlabs.nl/
- --
Antoin Verschuren
Tweevoren 6, 5672 SB Nuenen, NL
M: +31 6 37682392
xmpp:antoinverschu...@gmail.com
Op 21 jul. 2015, om 16:04 heeft Keith M
On 07/21/2015 07:48 AM, Edward Lewis wrote:
> Come to think of it, does DNS-OARC have a set of such zones? I have a
> vague memory that this may have been set up once. If not, might this be a
> good idea to provide? (Alongside other test services like reply size as
> described here: https://www.
ge-
> From: Livingood, Jason [mailto:jason_living...@cable.comcast.com]
> Sent: Tuesday, July 21, 2015 3:33 AM
> To: Frank Bulk ; dns-operati...@dns-oarc.net
> Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
> validation
>
> And for one that is
iving...@cable.comcast.com]
Sent: Tuesday, July 21, 2015 3:33 AM
To: Frank Bulk ; dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation
And for one that is always deliberately broken, for testing:
www.dnssec-failed.org
On 7/20/15, 10:13 PM, "
ed, that
>would
>be great as a control.
>
>Frank
>
>-Original Message-
>From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On
>Behalf
>Of Frank Bulk
>Sent: Friday, July 17, 2015 12:51 AM
>To: dns-operati...@dns-oarc.net
>Subject: Re: [dns-oper
perati...@dns-oarc.net
>Subject: Re: [dns-operations] Verifying that a recursor is performing
>DNSSec
>validation
>
>I've completed writing the first iteration of a NAGIOS-oriented Perl
>script
>that does the checks I've described. It was actually more painful to get
that will never be signed, that would
> be great as a control.
>
> Frank
>
> -Original Message-
> From: dns-operations [mailto:dns-operations-boun...@dns-oarc.net] On Behalf
> Of Frank Bulk
> Sent: Friday, July 17, 2015 12:51 AM
> To: dns-operati...@dns-oarc.net
>
-operations-boun...@dns-oarc.net] On Behalf
Of Frank Bulk
Sent: Friday, July 17, 2015 12:51 AM
To: dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is performing DNSSec
validation
I've completed writing the first iteration of a NAGIOS-oriented Perl script
that
Sorry, yes, recursive name server.
Frank
-Original Message-
From: Paul Vixie [mailto:p...@redbarn.org]
Sent: Friday, July 17, 2015 6:48 PM
To: frnk...@iname.com
Cc: 'Anand Buddhdev'; dns-operati...@dns-oarc.net
Subject: Re: [dns-operations] Verifying that a recursor is perform
i'm taking issue with your use of the term, 'recursor'.
if you mean 'recursive name server', please say so.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing lis
Anand,
Thanks, those are some good suggestions.
I don't think this will turn out into DNSViz or Verisign's DNSsec debugger, and
it's my intention that this NAGIOS check primarily is to verify that the DNS
resolver is configured for DNSsec validation, not to verify that any one zone
is healthy
On 17/07/15 07:51, Frank Bulk wrote:
> I've completed writing the first iteration of a NAGIOS-oriented Perl script
> that does the checks I've described. It was actually more painful to get
> the Net:DNS:DNSsec Perl module installed than anything else.
I haven't seen your script, of course, so I
I've completed writing the first iteration of a NAGIOS-oriented Perl script
that does the checks I've described. It was actually more painful to get
the Net:DNS:DNSsec Perl module installed than anything else.
We'll see how this works out in our environment.
Frank
-Original Message-
Fro
On 7/14/15, 1:08, "dns-operations on behalf of Frank Bulk"
wrote:
>Is there an existing tool, ideally a NAGIOS-friendly one, that performs a
>check against a resolver that it gets an AD back on DNSSec query for a
>zone
>that is properly signed, failure for one that is not properly signed, and
>no
tions] Verifying that a recursor is performing DNSSec
validation
dig +adflag soa $zone @server > tmpfile
grep -q "status: NOERROR" tmpfile || exit 1
grep -q "flags:[^;]* ad[^;]*;" tmpfile && cat tmpfile
exit 0
add appropriate garbage collection
In message <00
dig +adflag soa $zone @server > tmpfile
grep -q "status: NOERROR" tmpfile || exit 1
grep -q "flags:[^;]* ad[^;]*;" tmpfile && cat tmpfile
exit 0
add appropriate garbage collection
In message <004401d0bdf3$1460dfa0$3d229ee0$@iname.com>, "Frank Bulk" writes:
> Is there an existing tool, ideally a
20 matches
Mail list logo
