<tt><font size=2>Rickard Bellgrim <rickard.bellgrim@iis.se> wrote
on 18/01/2010 12:06:51:<br>
<br>
> You could also load your signed zones into BIND or NSD, so that the
zones are <br>
> available on your internal network. Then you can try to validate your
zone by <br>
> using different tools like: </font></tt><a href=http://opensource.iis.se/trac/dnscheck><tt><font size=2>http://opensource.iis.se/trac/dnscheck</font></tt></a><tt><font size=2>
or <br>
> configuring a local resolver with the public KSK.</font></tt>
<br>
<br><tt><font size=2>Another tool to check a dnssec-enabled zone published
by a nameserver is the "monitor" program (in the OpenDNSSEC trunk).
An extract from the README file is listed below.</font></tt>
<br>
<br><tt><font size=2>Stephen</font></tt>
<br>
<br>
<br>
<br>
<br><tt><font size=2> ./dnssec_monitor.rb -z <zone> [options]</font></tt>
<br>
<br><tt><font size=2>where zone is the zone the be monitored. Additional
options may be</font></tt>
<br><tt><font size=2>viewed by running : </font></tt>
<br>
<br><tt><font size=2> ./dnssec_monitor.rb -? </font></tt>
<br>
<br><tt><font size=2>(or -h, or --help)</font></tt>
<br>
<br><tt><font size=2>Additional options include :</font></tt>
<br>
<br><tt><font size=2> -n <ns1>[,<ns2>,<ns3>,...]
Comma-separated list of nameservers</font></tt>
<br><tt><font size=2> --nameservers
to monitor for the zone. Defaults</font></tt>
<br><tt><font size=2>
to
the nameservers listed in the public DNS</font></tt>
<br><tt><font size=2> --kskwarn [n]
Warn if KSK RRSIG expiry is within
n days</font></tt>
<br><tt><font size=2>
Defaults
to 14</font></tt>
<br><tt><font size=2> --kskcritical [n]
Error if KSK RRSIG expiry is within n
days</font></tt>
<br><tt><font size=2>
Defaults
to 7</font></tt>
<br><tt><font size=2> --zskwarn [n]
Warn if the ZSK RRSIG expiry is
within n</font></tt>
<br><tt><font size=2>
days</font></tt>
<br><tt><font size=2>
Defaults
to 3</font></tt>
<br><tt><font size=2> --zskcritical [n]
Error if ZSK RRSIG expiry is within n
days</font></tt>
<br><tt><font size=2>
Defaults
to 1</font></tt>
<br><tt><font size=2> --dwarn [n]
Warn if RRSIG expiry is
within n days</font></tt>
<br><tt><font size=2>
Defaults
to 3</font></tt>
<br><tt><font size=2>
Only
useful when a list of domains</font></tt>
<br><tt><font size=2>
to
check is supplied</font></tt>
<br><tt><font size=2> --dcritical [n]
Error if RRSIG expiry is within
n days</font></tt>
<br><tt><font size=2>
Defaults
to 1</font></tt>
<br><tt><font size=2>
Only
useful when a list of domains to</font></tt>
<br><tt><font size=2>
check
is supplied</font></tt>
<br><tt><font size=2> --ods [ods_location]
Load the OpenDNSSEC configuration files</font></tt>
<br><tt><font size=2>
from
this location and use values for</font></tt>
<br><tt><font size=2>
InceptionOffset
and ValidityPeriod</font></tt>
<br><tt><font size=2>
from
them. Otherwise, defaults will</font></tt>
<br><tt><font size=2>
be
used for these (3600 for</font></tt>
<br><tt><font size=2>
InceptionOffset,
3600 for ValidityPeriod).</font></tt>
<br><tt><font size=2>
OpenDNSSEC
must have been installed on this</font></tt>
<br><tt><font size=2>
system
if this option is used</font></tt>
<br><tt><font size=2> --[no-]wilcard
NXDomain checks will be disabled
if</font></tt>
<br><tt><font size=2>
wildcards
are enabled</font></tt>
<br><tt><font size=2> --names name1,name2,name3...
List of names to check in the zone</font></tt>
<br><tt><font size=2>
Note
that there must be no whitespace</font></tt>
<br><tt><font size=2>
between
the names</font></tt>
<br><tt><font size=2> --namefile file
Name of file containing list of
names (and </font></tt>
<br><tt><font size=2>
optional
types) to check in the zone</font></tt>
<br><tt><font size=2> --zonefile file
Name of zone file to load list
of names to </font></tt>
<br><tt><font size=2>
check
against zone</font></tt>
<br><tt><font size=2> --[no-]validation
Define whether to check parent DS records</font></tt>
<br><tt><font size=2>
and
validation from the root</font></tt>
<br><tt><font size=2>
Defaults
to true</font></tt>
<br><tt><font size=2> --rootkey file
Configure the key for the signed
root</font></tt>
<br><tt><font size=2>
Defines
file to load root key from</font></tt>
<br><tt><font size=2>
Validation
from root will not be tested</font></tt>
<br><tt><font size=2>
if
this is not configured</font></tt>
<br><tt><font size=2> --dlv
Configure
the location of the DLV service</font></tt>
<br><tt><font size=2>
Defaults
to dlv.isc.org.</font></tt>
<br><tt><font size=2>
DLV
will only be used if dlvkey is set</font></tt>
<br><tt><font size=2> --dlvkey file
Configure the DLV key</font></tt>
<br><tt><font size=2>
Defines
file to load DLV key from</font></tt>
<br><tt><font size=2>
DLV
won't be used if this isn't set</font></tt>
<br><tt><font size=2> --hints hint1,hint2,hint3...
Configure the root hints</font></tt>
<br><tt><font size=2>
Defines
the servers to use as root</font></tt>
<br><tt><font size=2>
Note
that there must be no whitespace</font></tt>
<br><tt><font size=2>
between
the names</font></tt>
<br><tt><font size=2> -l, --log [FACILITY]
Specify the syslog facility for results</font></tt>
<br><tt><font size=2>
Defaults
to print to console</font></tt>